Venafi CIO & CISO Tammy Moskites looks at SHA-1 migration, looking at what companies need to do now that the deadline for migration has already passed.
We all tend to feel uneasy when our web browser issues a security warning. You certainly don’t want your organizations’ website to be responsible for issueing these kinds of red flags because they cause business partners, customers and employees to doubt the security your organization. This problems is already a reality for 21 percent of the world’s websites. According to new research from Venafi Labs, these sites still rely on the outdated (and vulnerable) SHA-1 hashing algorithm, which is longer be trusted by most major browsers. Millions of websites have been impacted by this change and there is approximately a one in five chance that some of your organization’s infrastructure could be caught out as well.
So, what’s the problem with SHA-1? And why is it on the way out?
SHA-1 Certificates Are Vulnerable To Attack
Back in January 2011, the National Institute of Standards and Technology (NIST) forewarned organizations of SHA-1’s vulnerability. In the years since that warning, certificate authorities and browser vendors have been coming to terms with the agonisingly slow death of the deprecated hashing algorithm.
In late 2015, researchers discovered that a successful SHA-1 collision attack could be created for as little as $75,000. More recently, Google affiliated security researchers announced they cracked the SHA-1 security standard using a collision attack. These attacks are now b even more affordable and more likely, so browser vendors are upping their game, actively warning users that sites using SHA-1 certificates are not secure. Mozilla and Google started rejecting access to sites with SHA-1 certificates on January 1, 2017, while Microsoft IE and Edge began blocking sites using SHA-1 on February 14, 2017. Mozilla considered ending support for SHA-1 certificates in Firefox as early as January 2016, but reconsidered after evaluating the potential impact on users.
How Safe Is Your Business From a SHA-1 Exploit?
If you assume that your organization has already moved away from SHA-1 to SHA-2 or SHA-3, you may want to check with your IT staff to be sure. Nearly one fifth of the internet still hasn’t eradicated SHA-1 yet, despite the repeated warnings from Google, Mozilla and others. This means that there’s a reasonable chance that SHA-1 is still lurking somewhere within your organization, even if the most obvious places have already been migrated.
This observation doesn’t reflect badly on your hard-working IT staff. Migrating from SHA-1 to a more secure algorithm isn’t as straightforward as it would seem. For one thing large enterprises typically have tens of thousands certificates to manage, and most don’t have the tools or automation to manage them effectively. Add in the rapid increases in the number of machines on enterprise networks and the rapid changes in machine profiles connected with DevOps and FastIT initiatives and you can see how the process can become complex. And some legacy applications simply don’t support SHA-2 or SHA 3.
What’s the Real Impact of a Stalled SHA-1 Migration?
Despite the difficulty involved, it is critically important to complete the migration as soon as possible. Sites still running on SHA-1 certificates are ‘red-flagged’ by browsers. With some browsers your potential customers will not see the ‘green padlock’ they look to as a guarantee of trust; instead they will see a warning message. But some browsers may not even grant the visitor access to the site. It’s not hard to see how this could have negative consequences for your brand reputation and increase customer service calls.
Another concern is SHA-1 can leave your organizations vulnerable to breaches and regulatory fines, both of which are expensive and time consuming. It makes sense to make sure your organization isn’t caught unaware.
Are you sure your organization has completely migrated from SHA-1?