Just what is SHA-1 and what does it mean to me and my users?

SHA-1 is a hashing algorithm commonly used during the creation of digital signatures or certificates. Technically SHA-1 (Secure Hashing Algorithm) produces a 160-bit hash value that’s used to sign SSL certificates and is designed to ensure that each one is unique.

This means that your SSL certificate can’t be the same as any other certificate, even if someone tries to use it on a spoofed web address or URL, pretending to be you and your web site; and because each certificate is tied back to a known and trusted Certificate Authority (CA), any visitor to your website can tell it’s you and not someone pretending to be you.

What’s SHA-2 and why should I be bothered?

Given the rise in computing power, the algorithm used in SHA-1 is now considered to be too weak to be properly secure. This issue has been recognised for several years, so Microsoft and others had agreed a timetable to replace SHA-1 with something better, namely SHA-2. However, in late 2014 Google announced a far more aggressive and shortened timescale to stop their Chrome browser accepting SHA-1 signed certificates.

Google’s actual time table is complicated, based on the release of various versions of Chrome and the expiry date of the certificate in question; and rather than a simple drop dead date, there’s a progressive degradation indicated by a series of warnings to the end user, of any certificate’s validity.

Chrome Version & Possible release date Cert Expires Jan-May 2016 Cert Expires Jun-Dec 2016 Cert Expires Jan 2017- Indication
39 3/11/14 N/C N/C Yellow Triangle* yellow-triangle
40 15/12/14 N/C Yellow Triangle* Blank Page no lock blank_page
41 26/01/15 Yellow Triangle* Yellow Triangle* Red X** redcross

What does this mean for my site’s visitors?

The bottom line is that if you have an SSL certificate protecting your ecommerce site that is signed with SHA-1 and expires after 2016 then your users are already seeing warning messages that your site is “possibly” insecure.

The next release of Google Chrome (41), which is expected in the first quarter of 2015 and very likely in January/February, will change that message from “possibly insecure” to “definitely insecure”.

What should I do about it?

Firstly, don’t panic. The deprecation of the SHA-1 algorithm doesn’t immediately mean that your site becomes insecure; your traffic will still be encrypted. However, the impact of the various warning messages is bound to affect your visitors and you should be thinking about replacing any affected SSL certificates you may have.

Planning
Plan don’t Panic, the devil’s in the detail.
Baseline
Establish a baseline, understand what you may have where.
Prioritise
Evaluate each certificate and decide if it needs re-issue or replacement and by when. Remember the immediate issue affects real users and Chrome, not machine-to-machine SSL/TLS based communications. However these too will need to be upgraded eventually.
Manage
Establish a solid change management and control process for the re-issue or replacement of all your certificates and key material. See this as an opportunity to improve and consolidate the procurement and installation and on-going management of one of your most important security assets.
Support
Ecommnet has a breadth of experience implementing secure systems including certificate based identity management and encryption solutions. We can provide help and guidance as well as the best and most cost effective tools to help you secure your digital assets.