View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

SHA-1 Migration: Are We There Yet?

Venafi CIO & CISO Tammy Moskites looks at SHA-1 migration, looking at what companies need to do now that the deadline for migration has already passed.

By Ellie Burns

We all tend to feel uneasy when our web browser issues a security warning. You certainly don’t want your organizations’ website to be responsible for issueing these kinds of red flags  because they cause business partners, customers and employees to doubt the security your organization. This problems is already a reality for 21 percent of the world’s websites. According to new research from Venafi Labs, these sites still rely on the outdated (and vulnerable) SHA-1 hashing algorithm, which is longer be trusted by most major browsers. Millions of websites have been impacted by this change and there is approximately a one in five chance that some of your organization’s infrastructure could be caught out as well.

So, what’s the problem with SHA-1? And why is it on the way out?

SHA-1 Migration - Chrome Security Warning

Chrome Security Warning

SHA-1 Certificates Are Vulnerable To Attack

Back in January 2011, the National Institute of Standards and Technology (NIST) forewarned organizations of SHA-1’s vulnerability. In the years since that warning, certificate authorities and browser vendors have been coming to terms with the agonisingly slow death of the deprecated hashing algorithm.

In late 2015, researchers discovered that a successful SHA-1 collision attack could be created for as little as $75,000. More recently, Google affiliated security researchers announced they cracked the SHA-1 security standard using a collision attack.  These attacks are now b even more affordable and more likely,  so browser vendors are upping their game, actively warning users that sites using SHA-1 certificates are not secure. Mozilla and Google started rejecting access to sites with SHA-1 certificates on January 1, 2017, while Microsoft IE and Edge began blocking sites using SHA-1 on February 14, 2017. Mozilla considered ending support for SHA-1 certificates in Firefox as early as January 2016, but reconsidered after evaluating the potential impact on users.

SHA-1 migration - Firefox Security Warning

Firefox Security Warning

How Safe Is Your Business From a SHA-1 Exploit?

If you assume that your organization has already moved away from SHA-1 to SHA-2 or SHA-3, you may want to check with your IT staff to be sure. Nearly one fifth of the internet still hasn’t eradicated SHA-1 yet, despite the repeated warnings from Google, Mozilla and others. This means that there’s a reasonable chance that SHA-1 is still lurking somewhere within your organization, even if the most obvious places have already been migrated.

This observation doesn’t reflect badly on your hard-working IT staff. Migrating from SHA-1 to a more secure algorithm isn’t as straightforward as it would seem. For one thing large enterprises typically have tens of thousands certificates to manage, and most don’t have the tools or automation to manage them effectively. Add in the rapid increases in the number of machines on enterprise networks and the rapid changes in machine profiles connected with DevOps and FastIT initiatives and you can see how the process can become complex. And  some legacy applications simply don’t support SHA-2 or SHA 3.

SHA-1 migration opera security warning

Opera security warning

What’s the Real Impact of a Stalled SHA-1 Migration?

Despite the difficulty involved, it is critically important to complete the migration as soon as possible. Sites still running on SHA-1 certificates are ‘red-flagged’ by browsers. With some browsers  your potential customers will not see the ‘green padlock’ they look to as a guarantee of trust; instead they will see a warning message. But some browsers may not even grant the visitor access to the site. It’s not hard to see how this could have negative consequences for your brand reputation and increase customer service calls.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Another concern is SHA-1 can leave your organizations vulnerable to breaches and regulatory fines, both of which are expensive and time consuming. It makes sense to make sure your organization isn’t caught unaware.

Are you sure your organization has completely migrated from SHA-1?

Topics in this article : , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.