SHA-1, a popular algorithm used to secure websites, will soon produce warnings in modern browsers.
What is SHA-1?
SHA-1 is one-way cryptographic hash algorithm that is incredibly popular. As of May over 90% of all secure websites used it to generate the SSL certificates. In simple terms, an SSL certificate will encrypt the traffic from your site and the visitor so that no one can read that data. It also provides a means to prove to the user that you are who you claim you are.
In 2005 researches found that it was mathematically possible to crack this encryption. Fortunately it is also very computationally expensive. Some estimates put it between $1-2 million to successfully break the encryption. To date there have been no known cases of compromise. We know that this cost will decrease with each passing year. Estimates expect collisions to occur by 2018.
Google, Microsoft, and Mozilla have plans to remove SHA-1 from their browsers. Sites with an SHA-1 SSL certificate that expires in 2017 will become “secure, with minor errors” in November’s release of Chrome 39. In Chrome 40 the date range changes to June 1 to December 31 of 2016. Anything in 2017 is then treated like unencrypted HTTP traffic. In Chrome 41 the range shifts to January 1 to December 31 2016. Anything in 2017 will show error messages. Google is doing this to urge you to move away from SHA-1.
What should I do?
You should generate a new SSL certificate using the SHA-2 algorithm. The vulnerability present in SHA-1 is not present in SHA-2. Regenerating a new SSL certificate is relatively simple. For server admins you can generate a SHA-2 SSL with the following command:
openssl req -new -sha256 -key your-private.key -out your-domain.csr
You may have done this when you regenerated a new SSL certificate in response to the Heartbleed vulnerability.
Does my site use SHA-1?
The website Shaaaaaaaaaaaaa has a simple test that works with any secure website. Simply type in the domain name and you’ll see if the site uses SHA-1 or SHA-2. You want to see that your favorite secure sites use SHA-2. This site produces an “Argh” message if you check a site that does not run under HTTPS.
Sadly, Google is not one of them:
Amazon, YouTube, Bing, Facebook, and LinkedIn do not use SHA-2 either. The most important major site I’ve found that uses SHA-2 is Twitter (that is, most important after Brand Builder Websites of course. 😉 ).
We recommend all secure websites make a plan to move to SHA-2 as soon as possible. Using SHA-2 will protect your users. It will also prevent your site from being listed as unsecure and damaging your brand. Nobody wants that.
Thank you and keep building your brand.