As deadlines go, Jan. 1, 2017, isn’t far away, yet many organizations still haven’t switched their digital certificates and signing infrastructure to use SHA-2, the set of cryptographic hash functions succeeding the weaker SHA-1 algorithm. SHA-1 deprecation must happen; otherwise, organizations will find their sites blocked by browsers and their devices unable to access HTTPS sites or run applications.
All digital certificates -- to guarantee the website accepting payment card information is secure, software is authentic, and the message was sent by a person and not an impersonator -- are signed by a hashing algorithm. The most common is currently SHA-1, despite significant cryptographic weaknesses that render the certificates vulnerable to collision attacks.
The current recommendation is to use the SHA-2 algorithm for all new certificates; existing SHA-1 certificates, meanwhile, will be replaced by newer versions signed with SHA-2. This isn’t as simple as it sounds, as the migration isn’t a two-step process where you flip off SHA-1 and flip on SHA-2. Instead, it requires intensive testing and analysis to ensure all devices, sites, and software are using SHA-2 correctly.
Time is running out. While Google, Mozilla, and Microsoft are sticking with Jan. 1, 2017, as the official cutoff date, Chrome and Firefox browsers already throw errors with websites using SHA-1 certificates. Microsoft Edge and Internet Explorer will follow suit this summer. Google and Mozilla will not likely follow through with previous hints to move up the deadlines to July 1, but nothing is keeping them from arbitrarily stopping support before the end of the year.
This is currently a race to complete the migration, which requires careful planning and execution to succeed. Here’s a checklist to help you keep on track.
1. Assemble the team
The biggest challenge facing the migration is logistical, not technical. Assemble a team that understands why SHA-2 is necessary and set them to work on the testing process. The team should involve IT directors, application managers, developers, and owners of public-facing websites, as well as network administrators and security professionals, not to mention those in charge of the organization’s SaaS apps, managed services, and online services.
Make sure the organization’s executive team understands that migrating can’t be treated as an optional task or one that can be deferred. Because a lot of dependencies and testing is involved, it’s better to spend the next six months on the migration instead of trying to cram it in alongside other big projects at the end of the year. Don't forget to reach out -- help desk and customer service staff should be aware of the road map so that they know what kind of calls to expect.
2. Know the schedule
The good news: About 7.6 percent of SSL-encrypted sites still use SHA-1, and that number is dropping steadily, according to SSL Pulse. Thus, most websites already use SHA-2 certificates. However, that simply means the vast majority of encrypted public websites will be safe from SHA-1 collision attacks. SSL Pulse doesn’t look at private certificates or internal applications, which still need to be migrated.
The timeline is a little hazy, but here are the key dates:
- Early 2016, Google started displaying a certificate error in Chrome browsers for SHA-1 certificates issued on or after Jan. 1, 2016, and chained to a public certificate authority. Other applications and devices to follow.
- Sometime in the summer of 2016, when Windows 10 Anniversary Update is released, Internet Explorer and Edge browsers will no longer treat SHA-1 signed TLS certificates as trusted. The sites will still be accessible, but the address bar lock icon will no longer be displayed.
- Starting Jan. 1, 2017, Microsoft will block code-signing certificates without Mark of the Web and time-stamped before Jan. 1, 2016. Google will completely stop supporting SHA-1 certificates in Chrome.
- Starting Feb. 14, 2017, Microsoft will block code-signing certificates without Mark of the Web and time-stamped after Jan. 1, 2016. Internet Explorer and Edge browsers will block SHA-1 signed TLS certificates completely.