SSL Certification is the most popular way of encrypting sensitive information over the web. The standard has been in use for the past 20 years now and is used by the industry to protect everything from ecommerce transactions to passwords. You probably use SSL encryption everyday (look for the green padlock icon and the https:// prefix in urls), such as on social media and favourite shopping sites. Modern mobile devices also rely heavily on SSL to exchange and download sensitive information and apps.
Weak Encryption
Current popular SSL encryption makes use of a hashing algorithm known as SHA-1 which lies at the core of how the certificate protects data. However the aging algorithm is actually vulnerable to a type of attack known as brute force, where powereful computers may be used to compromise encrypted data. The vulnerability has actually been known for the last 10 years, however with the availability of ever more powerful and cheap computing power this has today become a real threat. Over the past few years various security observers and organisations around the world have urged web browsers and security companies to move away from SHA-1.
Google Chrome Action Plan
Google has recently been pushing for a variety of initiatives aimed at making the Internet generally safer and more secure. In response to the recent security breaches and raised public awareness, the search giant intends using its massive global power to push for more robust actions on this matter.
Google’s popular web browser Chrome has now announced it will be taking steps to remove its support for SHA-1 based encryption. The company outlined how weak certificates will no longer be recognized by its upcoming versions of their web browser software forcing websites to update their encryption to the newer SHA-2 standard.
Chrome 39 (Branch point 26 September 2014):
Sites with end-entity (“leaf”) certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as “secure, but with minor errors”.
Chrome 40 (Branch point 7 November 2014; Stable after holiday season):
Sites with end-entity certificates that expire between 1 June 2016 to 31 December 2016 (inclusive), and which include a SHA-1-based signature as part of the certificate chain, will be treated as “secure, but with minor errors”. Sites with end-entity certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as “neutral, lacking security”.
Chrome 41 (Branch point in Q1 2015):
Sites with end-entity certificates that expire between 1 January 2016 and 31 December 2016 (inclusive), and which include a SHA-1-based signature as part of the certificate chain, will be treated as “secure, but with minor errors”. Sites with end-entity certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as “affirmatively insecure”. Subresources from such domain will be treated as “active mixed content”.
What Users Must Do
As users of the web, we should ensure that our web browser software is uptodate with all the latest releases by downloading any new releases as they become available. Using an outdated web browser may expose you and your organisation to serious security risks.
What Operators Must Do
Operators of websites should immediately check their SSL certifications for any use of SHA-1. Any such certificates will require replacement with a newer issue based on a new set of keys to make use of SHA-2. This process must also include other certificates higher in the chain which as used by certificate authorities, known as intermediate certificates. Contact your SSL certificate authority for more information about this process as this can vary from one vendor to the next.
Whilst this process has now been spearheaded by Google Chrome, we expect all other major web browser companies to follow suite very swiftly.
Webcraft
Webcraft operates websites for its customers around the world, including ecommerce and other security intensive apps. Our SSL certifications have already been updated to the latest SHA-2 standard, ahead of the first deadline imposed by Google.
Get in touch with us in case you require any further information about the above or if you wish to discuss your requirements with our experts.