A daily scan of the headlines reveals the increasing distrust and concern over the safety of information traversing the Internet. From pictures of celebrities, health information, and payment card data, the way we protect information in transit is important. It forms the basis for trust.
Historically, we also seem to be a bit slow to transition from older, established solutions. Sometimes it feels like the way to get action is in the wake of a crisis.
Maybe the tide is turning.
From offering ranking preference to SSL-enabled websites to speeding the deprecation of SHA-1 certificates, Google seems to be experimenting with ways to force changes faster.
While it seems the change(s) are often desired, some question the speed of the changes. Especially when it comes to the pace and timing of forcing a change from SHA-1 to SHA-2 certificates -- in the next few months.
Doug Beattie, vice president of Product Management, Global Sign and Wayne Thayer, vice president and General Manager, GoDaddy -- both on the Steering Committee of the Certificate Authority Security Council - took time this week to share their thoughts on the impacts and the steps you need to take now to avoid a problem early next year.
What’s the issue?
The SHA-1 algorithm, used in signing digital certificates, has been shown to have a potential flaw. Researchers believe that the increase in computing power in the coming years allows the theoretical attacks to happen. As such, it necessitates an eventual change from the SHA-1 algorithm to SHA-2 family of algorithms.
In light of this need, Microsoft announced a two-year transition plan that removes all support for SHA-1 certificates by 2017. The goal is to move everyone off the certificates that could be potentially exploited in coming years before it becomes an actual problem.
In terms of the scope of this challenge, Wayne Thayer explained that Google recently cited their own research to suggest roughly 600,000 active certificates use SHA-1. Thayer suggested that GoDaddy thinks the actual number could be double. It seems reasonable to suggest the scope is roughly one million certificates.
To encourage vendors to replace certificates sooner, they recently announced a plan to degrade the presentation of the user interface in a progressive fashion. Starting in about 9 weeks and progressively worsening through February 2015 (read the discussion here).
Doug Beattie explained that, “Based on Google’s recent SHA-1 policy, we’re actively notifying our customers to upgrade their certificates to SHA-256. We recommend that all website operators should obtain an accurate inventory of their SSL certificates, and upgrade all externally accessible sites with SHA-1 certificates that expire in 2016 and especially in 2017 or later, as these will receive the most visible UI warnings.”
The Impact of Google’s Decision
The accelerated timeline raises two concerns:
- the potential for confusion or erosion of trust for consumers
- the timing for commerce sites; Many retail and commerce-focused shops tend to enact code and change freezes leading up to the busy winter and holiday shopping seasons.
Forcing certificate changes during this window puts companies in an awkward position. With the Chrome browser usage claiming roughly 40-50% market share (sources here, here, and here), ignoring the plan to reduce the user experience is risky.
From the CA Council announcement:
Considering many users may still use software lacking SHA-2 support, primarily Windows XP SP2, and the still unknown impact on a complete SHA-1 migration, this 12 week timeline is aggressive. In addition, many devices still lack SHA-2 support, making necessary possibly unplanned and expensive upgrades.
What you need to do today
Large companies tend to have a large number of SSL certificates. That means a lot of certificates to assessed and possibly replace. The good news is most (but not all) certificate authorities are issuing new certificates signed using SHA-2. Many re-issue certificates using SHA-2 for no additional charge (of course, you’ll need to check with the provider you use).
While the initial cost of replacing the actual certificate is low, it still requires time and resources to assess and make the change. Based on the discussion with Beattie and Thayer, they suggest three steps to get started:
- Inventory your certificates: scan and run reports to identify SHA-1 certificates. Use https://sslcheck.casecurity.org for a quick check or rely on enterprise tools to catalog a large volume of certificates. Take note of the certificate expiration date.
- Prioritize the replacement of SHA-1 certificates: based on expiration date and use. Certs that expire in 2017 or later face the stiffest penalty in terms of degraded experience. Focus on clearing those for commerce and Internet-facing sites first. Then work through certs that expire in 2016. Those expiring in 2014/2015 should be okay to replace on schedule.
- Consider legacy applications that may not support SHA-2 certificates. For example, Windows Server 2003 doesn’t currently support SHA-2 (without applying a hotfix). In these and similar cases, the impact may be a bit more complicated.
The impact for each organization is dependent on the number of certs and current practices governing change management and testing. For some, a simple swap might take a few minutes. Other changes could require significantly more time - especially if legacy systems are involved.
Did Google get it right?
Many of us feel that sometimes the wheels of change turn a bit slow in security. With that in mind, is the move by Google a welcome press on the industry, or a tax on already overburdened teams that could have properly phased out the certificates over the next two years?
What benefit does the aggressive timetable provide over the two-year plan?
I recognize the concerns. On both sides.
Trust on the Internet is important. Anything that creates confusion or erodes trust is typically a concern. However, it’s currently unclear the broader impact this is likely to have on users and their experience.
Does this create a “boy who cried wolf” like situation that conditions people to ignore security warnings?
Regardless of whether Google is right or not, this means security and other technology teams must adapt their priorities on a rapid cycle or risk the degradation of the experience for their customers.
What do you think? Did they get it right? Share a comment below or share your thoughts with me on twitter (@catalyst) about how this affects you, and what you would do if you were Google…