Browser Vendors Are Shutting Down SHA-1 Digital Certificates

SHA-1 digital certificates are being shut down by browser vendors based on the findings of a group of security researchers from universities in France, Singapore and the Netherlands. Their paper, titled “Freestart Collision for Full SHA-1,” demonstrated how to gain access to encryption keys protected by SHA-1.

The researchers estimated that $120,000 could rent enough computing power to compromise encryption keys protected by a SHA-1 certificate. Once these encryption keys have been compromised, a malicious actor would have the ability to steal data being sent over the network, including user IDs and passwords, credit card numbers and any other information.

The Challenge With SHA-1 Digital Certificates

Most consumers using a browser don’t know whether they are accessing a website with an unsafe SHA-1 certificate. As such, browser vendors are taking it upon themselves to sunset support for any site with SHA-1 digital certificates.

Microsoft recently published an update to its SHA-1 deprecation road map. Starting this summer, Microsoft Internet Explorer and Edge will be removing the address bar lock icon for websites using SHA-1 digital certificates. Microsoft went on to say it intends to completely block access to websites using SHA-1 digital certificates by February 2017.

Firefox, Chrome and other vendors have made similar announcements. In fact, Chrome already displays an error message when it encounters a SHA-1 certificate.

Why Are We Seeing a Lot of Press Around Encryption Problems?

The information security industry has been relying on old encryption standards that date back to the 1990s. At the time, these standards were considered safe enough; only nation-state attackers would have had the computing power or technology capable of performing a brute-force attack. Today, technology has drastically improved processing power and capabilities, rendering these old standards inadequate.

The SHA-1 digital certificate is a subset of the Transport Layer Security (TLS) 1.0 specification. This security standard is becoming increasingly outdated as security researchers continue to demonstrate its weaknesses.

Every business should consider moving to newer encryption standards to avoid the risk of a data breach. Some risks and recommendations were highlighted in the recent IBM report “Outdated Encryption Standards Pose a Serious Risk of Data Breach.”

What Steps Should a Business Take to Mitigate Risks?

It is imperative that websites that still rely on SHA-1 digital certificates move to SHA-2. Using SHA-1 digital certificates also implies that the organization is leveraging other old encryption standards within TLS 1.0. As such, it is essential for security professionals to review information and recommendations for both short- and long-term strategies for moving to the modernized encryption standards available in the TLS 1.2 protocol.

Share this Article:
Bill O'Donnell

Chief Middleware Security Architect, IBM

Bill O'Donnell is a Senior Technical Staff Member for IBM Cloud Middleware. He is the Chief Security Architect and Chief Security Compliance Officer for IBM's software product development. Bill is responsible for the Security Architecture in IBM Middleware On-Premise and Cloud offerings. He additionally handles a number of security initiatives across the IBM organization, which include security compliance for SaaS and PaaS offerings, secure engineering, security architecture and design, and vulnerability response. Bill has over 25 years of experience in large scale mainframe and distributed systems with a unique security focus on software architecture and infrastructure architecture. Bill specializes in end to end infrastructure and application security. He has published a number of Redbooks, papers, and is the author of the Secrets of SOA.