Is Your Organization Still Using SHA-1 Certificates?

Friday, February 24, 2017
Google just publicly cracked the SHA-1 algorithm, officially rendering SSL certificates using this encryption algorithm insecure from man-in-the-middle attacks.

The National Institute of Standards and Technology (NIST) mathematically predicted this would happen about this time back in January 2011. See NIST Special Publication 800-131A Revision 1: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths. Based on this recommendation, Google Chrome started warning users when they visited an SSL secured website that uses SHA-1 beginning November 2014.

Google Chrome SHA1 Notifications Gradually Ramped Up Over Time
Microsoft stated their SHA1 Deprecation Policy back in November 12, 2013, but it has since been removed. It originally said that that Windows will stop accepting SHA-1 end-entity certificates by January 1, 2017, and will stop accepting SHA-1 code signing certificates without timestamps after January 1, 2016. They updated their SHA-1 deprecation timeline to mid-2017 "to ensure compliance in all configurations and scenarios for Microsoft Edge and Internet Explorer 11."

Clearly, Google was more than happy to prove NIST's prediction right by announcing the first public SHA1 collision on February 23, 2017. Microsoft wrote a response the same day, but their timeline to remove SHA1 functionality from Windows remains mid-2017.

So who's at risk and what can be done about it?

Companies that use SSL-secured websites should check them to ensure they are not using the SHA-1 algorithm on any certificate. Root certificates are not affected by this, but best practice is to upgrade all Certificate Authorities (CA) to use the SHA256 algorithm. Nothing says bad press like a security warning or breach.

EXPTA Consulting provides PKI infrastructure services and can help install, reconfigure, or upgrade your existing PKI infrastructure securely and safely.

Users should run the latest versions of browsers. They should also be educated about browser security warnings, what they mean, and how to handle them.

Here are the current warnings users will see when visiting an SSL website using the SHA-1 algorithm from three popular browsers on Windows 10:

SHA1 Website in Chrome

SHA1 Website in Edge

SHA1 Website in Internet Explorer 11