In 2005, it was discovered that the secure hash algorithm SHA-1 wasn't as strong as it was initially thought to be, according to Google Online Security Blog. In the years since, there has been a gradual move away from SHA-1.
The need for this upgrade was further validated recently by security blogger Bruce Schneier, who reported on a cryptanalysis of SHA-1 which found that it isn't collision-free. The experiment was carried out by Chinese cryptographers who, as Schneier explained, "developed an algorithm for finding collisions faster than brute force."
Schneier said the Chinese researchers' findings necessitated a broad move toward replacing SHA.
The Road to SHA-2
"Collision attacks against SHA-1 are too affordable for us to consider it safe for the public web PKI
," Google stated in a Sept. 5 blog post.
Thus, the end of SHA-1 has arrived
— and it's two years early, at that. But fortunately, the path to SHA-2 doesn't have to be fraught with complexity for you and your business.
By understanding the various deadlines and how they apply to you, you can make your enterprise's migration to SHA-2 streamlined and cost-effective. Here's how the security icons on your site's domain will be impacted by the transition, depending on which version of Chrome you're using or will use:
- Chrome 39 (Fall 2014): If your SHA-1 SSL certificate expires before the end of 2016, you won't see any changes. If that same certificate is set to expire on or after Jan. 1, 2017, however, then you'll see a lock with a yellow triangle over it, indicating "secure, with minor errors."
- Chrome 40 (Late 2014): If your SHA-1 SSL certificate expires in May 2016 or earlier, you won't see any changes. The lock with a yellow triangle points to your certificate expiring between June and December 2016, while the image of a blank green icon — which denotes "neutral, lacking security" — points to your certificate expiring on or after Jan. 17, 2017.
- Chrome 41 (Early 2015): Based on past release dates, Chrome 41 is set to debut in the first quarter of 2015. With this release, if your SHA-1 SSL certificate expires in 2016, you'll see a yellow triangle over the standard lock icon. If your SHA-1 SSL certificate expires in Jan. 17, 2017, or later, site visitors will see a "Red" X over the lock icon, saying its "affirmatively insecure."
So Who's Impacted by The Switch to SHA-2?
Whether you're a general store that barely uses computers or a tech company that's firmly entrenched in the cybersphere, it's vital that you make the effort to be proactive and phase out SHA-1 for the more secure SHA-2. After all, it only takes a single attack to derail an enterprise's sense of security — and attackers are everywhere.
Not surprisingly, the store type most likely to be impacted by this issue are e-commerce retailers, particularly since the shopping season will mark an inevitable rise in online purchases. As shoppers crowd their favorite online retailers making holiday purchases, it's important that those businesses have the tools in place to defend the security of their patrons.
How to Take Action
Here are a few key action points for the migration to SHA-2:
- Server check. This one's simple: Just determine if your server is equipped to handle SHA-2. And if not, it's time for an upgrade.
- Certificate search. You know how you take inventory of merchandise? Well, now do the same thing, only for certificates. Scour your entire corporate network, determining exactly how many certificates you have.
- Prioritize. Determine which of the SHA-1 certificates in your system expire before 2015, and prioritize those as far as making the transition to SHA-2 goes.
- Reissue. For SHA-1-signed SSL certificates whose expiration date is after 2015, make a note that when you renew them, you issue them with SHA-2.