Despite months of reminders and warnings, more than one-third of websites will become inaccessible come 2017. There is barely a month left before major browsers using certificates signed with the SHA-1 hash, but 60 million-plus websites still rely on the insecure encryption algorithm, according to the latest estimates from security company Venafi.
Starting Jan. 1, Mozilla’s Firefox browser will show an “Untrusted Connection” error for sites using a SHA-1 certificate, and Google’s Chrome browser will drop all support for SHA-1 and completely block sites using SHA-1 certificates. Microsoft has said its Edge and Internet Explorer browsers will start blocking the sites outright on Feb. 1, 2017.
These error messages are different from the browser warnings users typically see for incorrectly configured site certificates, which users can ignore and still access the site. In the case of Google, Chrome will display a network error with no way for the user to bypass and still get to the site. Mozilla will allow Firefox users to override the error message if the issuing certificate authority is included in Mozilla’s CA Certificate Program.
Users will no longer be able to access these websites after the deadline, significantly disrupting business operations, warned Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. While there has been significant progress with the migration — Mozilla said last month that the use of SHA-1 on the web since May 2016 has dropped from 3.5 percent to 0.8 percent — enough websites are still relying on the weak certificates. These organizations are at risk for security breaches, compliance problems, and outages affecting security, availability, and reliability.
of identifying all the certificates that need to be changed, deploying and testing the new certificates, revoking old certificates, and setting up controls to manage the new certificates.
For many organizations, the process of migrating away from SHA-1 to SHA256 or other safer cryptographic functions is like an unpleasant visit to the dentist, Bocek said.
The coming changes in browsers
Major web browsers have been warning of the impending changes for months. Chrome and Firefox currently display a certificate error warning for sites using SHA-1 certificates issued on or after Jan. 1, 2016. Edge and Internet Explorer have already stopped displaying the address bar lock icon, which indicates the site is secured and trusted, for sites using SHA-1.
Chrome 56, scheduled to be released at the end of January, will be the first version of the browser with support for SHA-1 certificates removed completely. However, the browser will distinguish between certificates chained to a public certificate authority and those chained to local CAs until 2019 to support enterprises who want to continue using SHA-1 certificates for internal applications. Starting with Chrome 54, site administrators will have to deploy the
EnableSha1ForLocalAnchors policy to allow certificates chained to local trust anchors. This policy must be set, or SHA-1 certificates chained to locally installed CAs will also started being blocked by Chrome 57, expected in March 2017.
Google may choose to remove support for locally signed SHA-1 certificates before 2019 in the event of a serious cryptographic break. Enterprises should be using this two-year reprieve to migrate those internal certificates off SHA-1.
Firefox 51, currently in Developer Edition and expected to be released in January, would display the Untrusted Connection message starting January, but users will be able to override the warning for the time being. Support for SHA-1 certificates from publicly trusted CAs will be completely disabled “in early 2017,” Mozilla said. SHA-1 certificates that chain up to a manually imported root certificate, as specified by the user, will continue to be supported, but Mozilla encouraged enterprises to migrate those certificates as soon as possible.
Don’t wait until things are broken
Online trust relies on all the players working together, and digital certificates are a key component of the trust equation. If the organization relies on weak certificates, they are undermining the trust model. Certificate authorities were supposed to stop issuing SHA-1 certificates after Jan. 1, 2016, for example. If the CA is still issuing SHA-1 certificates, then organizations should change CAs.
Cryptographic projects are hard and the price for making a mistake during deployment can be high, so many businesses have stuck their heads in the sand instead of dealing with the migration to SHA-2. However, the deadline isn’t going away, and the organizations will see actual business impact for delaying the process. Many organizations will be operating with smaller IT staff as employees take time off before the end of the year, making the process even more challenging. Even so, it will be far better to work on the bulk of the migration in the time left, rather than try to fix the problems after things start breaking in January.
“Leaving SHA-1 certificates in place is like putting up a welcome sign for hackers that says, ‘We don’t care about the security of our applications, data, and customers,'” Bocek said.