SHAppening SSL Certificate to SHA-2

Friday, December 18, 2015

For websites with SSL certificate installed, it’s time to start migrating SHA-1 certificate to SHA-2. SHA (Secure Hashing Algorithm) is a cryptographic hash function that generates a compressed function of fixed length and has varying versions.

In practicality, most SSL certificates today are encrypted with either SHA-1 or SHA-2; with SHA-2 being the industry standard (as of 8 Dec 2015) for digital certificates.

New Research Findings: Freestart Collision for SHA-1

In 2015, three researchers, Stevens, Karpman and Peyrin ran an experiment, The SHAppening: freestart collision for full SHA-1 and uncover results that led them to find two different combinations of input validation and messages resulting in the same output.

freestart collision
A freestart collision example for SHA-1

Because of the remarkable findings – proving the dangers behind SHA-1 signatures – Stevens, Karpman and Peyrin called for ‘SHAppening’ – whereby SHA-1 based signatures should be marked as unsafe much sooner than prescribed by current international policy.

Current Situation with SHA-1 Certificates

ssl warning
Image Source: DigiCert

SHA-1 certificates will cause Google Chrome browsers to display various insecure warning icon depending on (1) the version used for Chrome and (2) the expiry date of SHA-1 SSL certificate. This is done with the intention of surfacing out SHA-1 signatures over time by January 2017, which is currently set by the CA/B Forum.

Microsoft Internet Explorer and Mozilla Firefox likewise will stop trusting websites with SHA-1 certificates by January 2017.

Time to Make the Switch Soon

Image Source: Netcraft SSL Survey October 2015

Soon, SHA-1 certificates will become a thing of the past yet surprisingly, one million SSL certificates are still using insecure SHA-1 signatures. For websites with SHA-1 certificates that decide not to take any migration actions soon, this will put their website in danger of (1) weak security and (2) lost in website visits as a result of browser display warnings.

Acting on It: SHA-1 to SHA-2 Migration

If you suspect your website has an SHA-1 SSL Certificate, follow the steps through below to work on migration.

Step 1: Click on the ‘secure padlock’ > ‘connections’ to see if the SSL certificate installed is SHA-1. You should be able to see warnings from browsers at this point (as highlighted in yellow).

Step 2: Click on ‘certificate information’ > ‘details’. Under signature algorithm and the signature hashing algorithm, you can tell if SHA-1 is being used.

sha 1 ssl

Alternatively, you can make use of DigiCert® SHA-1 Sunset Tool to confirm if any domains you own have SHA-1 signatures for the certificate.

digicert sha 1
Step 3: Speak with your SSL certificate provider and ask for a re-issuance of a SHA-2 certificate. Thereafter, install the SHA-2 certificate in your server once again.

Fine-Tuning Security

Many security administrators have a common misconception that digital certificates will update on its own accordingly after installation and typically leave SSL certificate until expiry. Such a case is arguably ideal; however, as the SSL/TLS industry continues advancing to another level, it is on the security administrators part to fine tune security implementations, including the works of SHA-1 to SHA-2 migration.

ashleeAbout Ashlee Ang

Ashlee is a content writer at Cyber Secure Asia where she writes about introductory topics on cyber security and cyber-related happenings in Singapore & South East Asia.

Share :    

Back to Blog