First, what is SHA? In basic terms, SHA is a component of an SSL certificate used to ensure that data has not been modified. SHA accomplishes this by computing acryptographic function and any change to a given piece of data will result in a different hash value.
As a result, differing hash values are key to determining if data has been altered. SHA-2 is the technical successor to SHA-1 and provides greater security than SHA-1. As computing power increases, SHA-1 will be able to be decrypted more easily and susceptible to exploitation by criminals and hackers.
Due to the impending need to adopt SHA-2-based certificates, a number of factors are driving the elimination of SHA-1, ranging from compliance with U.S. NIST and PCI standards, to the technical rejection of certificates in the Microsoft’s operating systems and Google’s popular Chrome browser.
It is important to understand that the failure to comply with NIST and PCI requirements currently in effect could result in significant financial penalties for non-compliance, but it will not have any operational effect.
At the same time, it should be strongly noted that the deprecation policies of Microsoft, Google and Mozilla could result in significant negative impact to IT operations and end-user experience.
U.S. NIST Guidance counseled that SHA-1 should not be trusted past January 2014 for the higher level of assurance communications over the U.S. Federal Bridge PKI. Agencies have been phasing out the use of SHA-1 certificates across the government. Most government contractors are also required to meet these requirements with varying deadlines.
PCI compliance scanners currently require their clients to use SHA-2-compatible SSL certificates. In order to validate PCI DSS compliance, you must ensure that Web server(s) in the PCI environment are configured to disallow SSL (Secure Sockets Layer) Version 2, as well as weak ciphers and hashes. PCI network scanners finding SHA-1 certificates will fail a compliance audit.
Microsoft, Google and Mozilla have each announced new policies for CAs to deprecate the use of the SHA-1 algorithm in digital certificates in favor of SHA-2.
As it relates to SSL certificates, the Microsoft policy affects CAs that are members of the Windows Root Certificate Program that issue publicly trusted certificates. As this policy comes into effect, applications that rely on the use of digital certificates will no longer function properly and will not be considered secure unless they u SHA-2-based certificates.
The Google and Mozilla policies will affect browsers that have not been updated. Failure to migrate to SHA-2 in a timely manner will result in browsers not displaying content properly and end-users receiving security warnings. This often causes users to abandon a site or transaction, or call support services such as helpdesks or customer service.
While at this point the continued use of SHA-1 doesn’t present a security risk, failure to properly migrate from SHA-1 to SHA-2 will result in business disruption and compliance risk.
With some of the changes already in effect — and others coming online very shortly — it’s critical to develop and implement a migration plan starting today.
For an in-depth breakdown of how to develop a successful transition to SHA-2, download, “A Migration Guide to SHA-2 SSL Certificates: Avoiding pitfalls, meeting critical deadlines and eliminating service disruptions during SHA-1 certificate deprecation.”