There’s been a lot of talk recently about Secure Sockets Layer (SSL) and Google’s push to render certificates with certain hashnig types as no longer secure. Here's a summary of what it all means and what you can do to ensure you’re site is prepared for the future.
What is SHA-1 and why does it matter?
SHA-1 is the hashing algorithm used to ensure that the certificate used is a genuine certificate issued by a trusted authority. Otherwise, anyone could generated a certificate and impersonate your site. SHA-1 is a long established method for hashing, having been first released in 1995, and currently has no practical known attacks. However, this won’t be the case in the future as increases in computational technology will be leave it vulnerable in the not too distant future, with many experts predicting possibly by 2018.
What does it mean for my site?
So given the enormous volumes of sites using SHA-1 Google is acting now to prompt the transition of sites with SSL certificates using SHA-1 to the more recent and secure SHA-2 hashing by incrementally disabling security support for SHA-1 SSL certificates in the Chrome browser. While dates are still to be locked down for Google’s roll out for Chrome versions, they have released what to expect to see in the browser with each new version:
With Chrome version 39 (November 2014) SSL’s using SHA-1 expiring before 2016 will appear solid green, and those expiring after 2016 will appear with a notice of some errors.
With Chrome version 40 (late Dec 2014) SSL’s using SHA-1 expiring before May 2016 will appear solid green, those expiring between June 2016 – Dec 2016 will appear with some warnings, and those expiring after 2017 will receive a neutral (solid grey) bar.
With Chrome version 41 (2015 Q1) SSL’s using SHA-1 expiring in 2016 will appear with some warnings and those expiring after 2017 will appear as a red strike.
What can I do?
Essentially what all this means is that if your site uses an SSL certificate using SHA-1 your site is not vulnerable yet but has the potential to be in the future. If you have purchased an SSL certificate through Conetix, contact us for an assessment and potential resupply of your certificate so that it uses SHA-2 hashing. There is no cost for this re-issue.
If you have purchased your SSL through another provider, contact them regarding your certificate.