Why Google is Forcing SHA-1 SSLs Into Retirement & How It Affects You
Posted October 2, 2014 by Ryan Ours in Google, Internet Security
Does your site currently use an SSL certificate? If you process any payments or deal with any other sensitive information on your site, the answer is most likely yes. What you may not know however is that soon your SSL certificate may be obsolete. Continue reading to find out how this affects you and what can be done to mitigate the risk of this having negative implications on your site.
In September of 2014, Google announced that it was going to be “Gradually Sunsetting SHA-1”. You may be asking, what exactly is SHA-1? SHA-1 is a cryptographic hash algorithm used to secure websites with a SSL (Secure Sockets Layer) Certificate. An SSL certificate ensures that when you go to https://www.facebook.com, you’re visiting the real Facebook and not giving your password to an attacker. SHA-1 was designed by the United States National Security Agency and published by the United States National Institute of Standards and Technology in 1995. In February 2005, a little over 9 years ago, Bruce Schneier – an American cryptographer, computer security and privacy specialist, and writer – blogged about a study done by a research team at Shandong University in China that discovered a feasible attack on the SHA-1 hashing algorithm. Their findings proved that SHA-1 could be vulnerable to attack if a user had the correct means and computing power available to them.
Fast forward 9 years, and we’re still using SHA-1 as a cryptographic hashing algorithm for SSL certificates. In fact, according to a study by SSL Pulse, 85% of sites use SHA-1 certificates as of September 2014. Google has decided that it’s time to change this with some changes to their Chrome browser’s HTTPS security indicator.
Google will soon start penalizing sites that use SHA-1 certificates that expire during 2016 and after. This is a major policy change that requires immediate action. Google plans to gradually start showing warnings over the next few months for any site using a SHA-1 certificate that expires on or after January 1, 2017.
Google Chrome browser HTTPS security indicator for SHA-1 SSL certificates over time
Just before Christmas 2014, the first set of warnings will hit, and these warnings will get more and more stern over the following 6 months after Christmas. Eventually, even sites with SHA-1 certificates expiring in 2016 will be given “secure, but with minor errors” yellow warnings.
By gradually making these warnings sterner as time goes on, Google is doing its best to push people into updating their website’s SSL certificates to SHA-2 before things get worse. Although this may seem like an annoyance to site owners and webmasters, it’s really a very good thing for the Internet. Considering Bruce Schneier was talking about the need for getting away from SHA-1 over 9 years ago and nothing has really changed, it’s time for people to be taking this security risk more seriously.
If you have a website that uses SSL and are currently under a maintenance & support package with Springboard Marketing, you can rest easy knowing that we’ll ensure your certificate is upgraded to SHA-2 before December 2014. If you’re not on a maintenance & support package with Springboard Marketing, you should test your site to see if your certificate is using SHA-1 (chances are, it is using SHA-1). You can use this tool to test your site. If you need help upgrading your certificate, contact us today and we’d be glad to give you a helping hand.
Let’s all take Google’s lead on this, and do what we can to proactively make the Internet a safer place for everyone.