For websites with SSL certificate installed, it’s time to start migrating SHA-1 certificate to SHA-2. SHA (Secure Hashing Algorithm) is a cryptographic hash function that generates a compressed function of fixed length and has varying versions.
In practicality, most SSL certificates today are encrypted with either SHA-1 or SHA-2; with SHA-2 being the industry standard (as of 8 Dec 2015) for digital certificates.
New Research Findings: Freestart Collision for SHA-1
In 2015, three researchers, Stevens, Karpman and Peyrin ran an experiment, The SHAppening: freestart collision for full SHA-1 and uncover results that led them to find two different combinations of input validation and messages resulting in the same output.
Because of the remarkable findings – proving the dangers behind SHA-1 signatures – Stevens, Karpman and Peyrin called for ‘SHAppening’ – whereby SHA-1 based signatures should be marked as unsafe much sooner than prescribed by current international policy.
Current Situation with SHA-1 Certificates
SHA-1 certificates will cause Google Chrome browsers to display various insecure warning icon depending on (1) the version used for Chrome and (2) the expiry date of SHA-1 SSL certificate. This is done with the intention of surfacing out SHA-1 signatures over time by January 2017, which is currently set by the CA/B Forum.
Time to Make the Switch Soon
Soon, SHA-1 certificates will become a thing of the past yet surprisingly, one million SSL certificates are still using insecure SHA-1 signatures. For websites with SHA-1 certificates that decide not to take any migration actions soon, this will put their website in danger of (1) weak security and (2) lost in website visits as a result of browser display warnings.
Acting on It: SHA-1 to SHA-2 Migration
If you suspect your website has an SHA-1 SSL Certificate, follow the steps through below to work on migration.
Step 1: Click on the ‘secure padlock’ > ‘connections’ to see if the SSL certificate installed is SHA-1. You should be able to see warnings from browsers at this point (as highlighted in yellow).
Step 2: Click on ‘certificate information’ > ‘details’. Under signature algorithm and the signature hashing algorithm, you can tell if SHA-1 is being used.
Alternatively, you can make use of DigiCert® SHA-1 Sunset Tool to confirm if any domains you own have SHA-1 signatures for the certificate.
Step 3: Speak with your SSL certificate provider and ask for a re-issuance of a SHA-2 certificate. Thereafter, install the SHA-2 certificate in your server once again.
Many security administrators have a common misconception that digital certificates will update on its own accordingly after installation and typically leave SSL certificate until expiry. Such a case is arguably ideal; however, as the SSL/TLS industry continues advancing to another level, it is on the security administrators part to fine tune security implementations, including the works of SHA-1 to SHA-2 migration.
About Ashlee Ang
Ashlee is a content writer at Cyber Secure Asia where she writes about introductory topics on cyber security and cyber-related happenings in Singapore & South East Asia.