For years, major web browsers like Chrome and Firefox had been planning to block SHA-1 certificates, Then they ramped up their efforts. They warned that if your site was still using SHA-1 certificates, then visitors to your website in Chrome would be met with this warning. A warning like that will have even your most loyal customers running for safety. In addition to Chrome, other popular web browsers like Mozilla Firefox and Microsoft Edge joined in blocking SHA-1 certificates. Yet despite all the attention about the SHA-1 to SHA-2 transition, 35% of websites were still using SHA-1 certificates.
So why did a full third of websites use insecure cyber-security measures? To answer that question, let’s first go over what SHA is, why SHA-2 is an improvement over SHA-1, and how you can be sure your organization is protected.
PKI: Are You Doing It Wrong?
What are SHA certificates?
SHA stands for Secure Hash Algorithm. It was originally developed by the United States National Security Agency (NSA) and has been adopted as an industry standard for file integrity verification and digital signatures. Basically, it’s a way of knowing that incoming files over an internet or network connection haven’t been tampered with because, theoretically, no two input values should be able to result in the exact same hash output. However, experts have known since 2005 that the original SHA-1 certificate was vulnerable to attack. In response to rising concerns, the NIST (National Institute of Standards and Technology) officially deprecated SHA-1 in 2011. Then, on February 23rd, 2017, Google and the Dutch research institute CWI announced that they had successfully broken SHA-1 practice using a simulated collision attack. This breakthrough further underscores the vulnerabilities of SHA-1 as well as the absolute necessity for websites to migrate over to SHA-2 as soon as possible.
What is the difference between SHA-1 and SHA-2 certificates?
SHA-2 has improved certificates specifically designed to prevent harmful breaches such as man-in-the-middle and collision attacks. SHA-2 is actually a collection of six hash functions that exponentially increases an organization’s capacity to identify and guard against cyber-attacks. So far, the integrity of SHA-2 certs has been upheld through extensive testing (much like the tests that exposed weaknesses in SHA-1).
How do I know if my organization has expired certificates?
Even if you’ve been rolling over to SHA-2 certificates for quite a while, it can be difficult to ensure that there aren’t any expired SHA-1 certificates lurking. Even for an organization of average size, you could have tens of thousands of keys and certificates, and you may not have the visibility and resources to track them all. And implementing a process to identify and rollover every certificate can be daunting and confusing. The truth is, however, unless you have a detailed plan in place to implement, track, and verify the SHA-1 migration process, you may not know that you have expired certificates leaving your business vulnerable to attacks.
What are the risks of having hidden, expired SHA-1 certificates?
As mentioned above, the vulnerabilities of SHA-1 certificates have been known for over a decade. Now, with popular web browsers already blocking expired certificates, the consequences of having hidden SHA-1 certs are immediate and far-reaching:
- Increased risk of a collision attack or man in the middle attack .
- Added risk with the presence of wildcard SSL certificates.
- Getting your website blocked on popular web browsers.
- Loss of revenue from customers who are blocked from visiting your site.
- Loss of future business as people lose trust in your brand.
- It’s much more difficult and expensive to fix the problem after you’ve been blocked or fined (or worse, experienced a cyber-attack) than it is to rollover to SHA-2 beforehand.
In addition to these risks, you have an obligation to your customers to protect their identities and the integrity of their transactions with your business. Not only is this good business sense, but having a secure website protects your customers and establishes trust in your brand and service.
How to make the switch and completely rollover to SHA-2 certificates
The process of switching over to SHA-2 can be chaotic and complex. However, with a plan in place, it can be easier than you’d think. And it’s much better to be proactive about removing expired certificates than trying to fix a broken website. The process of SHA-1 migration can be broken into 7 steps:
- Identify all SHA-1 certificates.
- Consider the impact of migration on your everyday business operations.
- Automate the migration of SHA-1 to SHA-2.
- Make a policy to ensure all new certificates are SHA-2.
- Implement a “change control” process to ensure accuracy and compliance.
- Validate your SHA-1 migration through a report, proving the process is complete.
Is future-proof cybersecurity a possibility?
As cyber criminals become more sophisticated, there’s an increased need to be diligent in continually updating security protocol of all your digital assets. Unless you have the in-house team and the resources to stay proactive and updated with all the latest strategies, you’ll always be left hoping you’re lucky enough to avoid attack (until you become so far behind that an attack is inevitable). So, is it possible to be future-proof when it comes to cyber security? The most important thing in the short term is to get a plan in place and move things forward toward a complete SHA-2 transition.