Which SSL Reviews

Internet Security

Time to Transition from Vulnerable SHA-1

March 21, 2017 | By  

Secure Hash Algorithm – 1 (SHA-1) is outdated and insecure. It is vulnerable to attacks. Most IT majors such as Google, Microsoft, Apple and IT security companies have emphasized on migrating to the more secure SHA-2 or SHA-3. But the fact remains that millions of websites have not yet heeded the warning and are still sticking onto the SHA-1 cryptographic hash algorithm.
The deadline for migration has passed. The depreciation or sunsetting of SHA-1 has commenced and Google’s Chrome would not display a”fully trustworthy” notification for these websites. Microsoft would now treat SHA-1 as an untrusted certificate. And all other browsers will implement similar measures.
In 2011, the CA/Browser Forum had recommended that all Certificate Authorities (CAs) should transition from SHA-1 as soon as possible, as SHA-1 did not meet the baseline requirements for SSL. Notably, in 2010, NIST had deprecated SHA-1 for government use.

Time to Transition from Vulnerable SHA-1

Google researchers demonstrated a real-world collision attack in collaboration with the CWI Institute in Amsterdam. Though this exercise took a long time and significant resources to enact, it is possible that hackers would be able to replicate the same attacks.

Repercussions

  • Web sites will suffer if they do not transition immediately.
  • Browsers will display warnings
  • Website visitors will not transact in untrusted websites
  • Business would suffer
  • HTTPS notice in the address bar will appear as “unsecure”
  • The website will become slow
  • Further on, browsers will block SHA-1 websites
  • Man in the middle (MitM) attacks can take place on SSL/TLS connections.

How to Stay Secure: Recommendations

  • Organizations must immediately transition to higher than SHA-1
  • They must secure not only their public-facing website but also their private networks
  • Install/subscribe to an SSL certificate management system
  • Secure with appropriate SSL certificates
  • Obtain SSL certificates only from reputed Certificate Authorities

Organizations must learn from the deadly cyber attacks that have taken place – such as the Heartbleed attack. The Heartbleed Bug was a serious vulnerability that allows stealing of information protected by the SSL/TLS encryption. The bug was an exploit of a vulnerability in OpenSSL cryptographic software library. It demonstrated the importance of cryptography and the need for automation for better website security.
For organizations, any further delay in transitioning from SHA-1 is not recommended. The repercussions are severe and may lead to a long-term business loss for the organizations.

Posted in Internet Security,SSL Certificate

Leave a Comment


 


* fields are mandatory