As more and more of our public and private lives are carried out on the internet, online security is growing in importance. This is why the continued use of vulnerable technologies, such as SHA-1 to protect data is so surprising.
First, a little background information
Secure Socket Layer (SSL) is used to encrypt sensitive data as it is passed between your website and your customers. When they enter the checkout process, SSL is used to prevent criminals from “eavesdropping” on the transaction to steal credit card details for instance.
What is SHA-1?
SSL relies on a digital “certificate” to verify that your website is secure and your company is legitimate. SHA-1 is the encryption technique used to “sign” the certificate. This digital signature is used to prevent forgery by cybercriminals – which is the first step to stealing your security identity.
As far back as 2005, security researchers discovered that SHA-1 was vulnerable to “cracking” – i.e. the certificate could be decrypted and copied – and in the last nine years, advances in computing speeds and have made this cracking process quicker and easier.
Why is SHA-1 important?
SHA-1 has been replaced by a newer, more secure version of the technology – SHA-2. However some providers of SSL certificates are still selling SHA-1 variants. Worse still, businesses are often buying and installing these certificates without fully understanding the online security risks involved.
A study by Netcraft estimates that around 90% of SSL certificates are still signed using the now-discredited SHA-1 method, meaning that there are literally millions of websites at risk of cracking.
Web browser support for SHA-1 to end
Google has decided to try and force an increase in SHA-2 SSL certificate adoption, by creating a new warning system that alerts users of potential security risks when visiting a website. From 7th November, any sites using SHA-1 will be identified by the Chrome web browser as “secure but with minor errors” and flagged with a yellow warning indicator in the address bar. From next year, these sites will be flagged as “affirmatively insecure”, giving users a bright red warning in the address bar.
Mozilla, creators of the Firefox browser, and Microsoft (Internet Explorer) have also announced changes to their software that will render SHA-1 protected sites inaccessible after 2016.
What do you need to do?
To avoid these problems, site owners will need to replace their insecure SSL certificates with a new SHA-2 version. Google, Microsoft and Mozilla have issued a changeover deadline of 2017, giving businesses plenty of time to make the required changes. However, delaying replacement increases the risk of being hacked – a situation that could have serious repercussions for your clients and business.
If your business is currently using an SHA-1 signed certificate, or you’re not sure which encryption algorithm your site uses, you should seek professional advice sooner rather than later.
Leave a Reply
