University and college website operators will likely have heard of the global security encryption upgrade being brought in by internet browsers, but may not be aware of why these changes are coming about or what they need to do.
There’s been quite a lot of confusion about what this entails, and I want to shed some light on the situation and help operators make the transition to the new standard.
Why are the changes happening?
SHA-1 (Secure Hash Algorithm) is a popular cryptographic hashing function for encryption on the public web that is used in a lot of security protocols, including Secure Sockets Layer (SSL). Almost all sites on the public web today are certified using the SHA-1 algorithm, accounting for a total of 98% for SSL certificates generated in 2013, and 92% for all websites last year.
The problem lies in the fact that SHA-1 is no longer considered an acceptable standard for encryption. Now in its twentieth year, it has been identified as considerably weaker than once thought, with the cost of mounting a collision attack against SHA-1 becoming increasingly affordable, and threats becoming more commonplace.
As a result the National Institute of Standards and Technology (NIST) has recommend that SHA-1 be retired in favour of the more sophisticated SHA-256 algorithms.
Phasing out the old
Of course, making the switch to the higher benchmark takes time. If web browsers suddenly refused to recognise SHA-1 certification, a huge number of sites would be affected and return negative results. Instead, the standard is being slowly deprecated over time to allow for new certificates that use SHA-256 to be secured.
But the timeframe isn’t quite as simple as there being one set date to which all sites must comply. While the majority of the leading browsers including Microsoft will begin phasing out SHA-1 certificates in 2017, Google has already started the downgrade. For users of the latest version of Google Chrome (39) released in November 2014, this means that, depending on the security status of the site they’re visiting, they’ll start to see visual indicators based on padlock icons in the address bar.
At the moment people browsing via Chrome 39 may see a grey padlock with yellow triangle on some web servers that are SHA-1 protected – rather than the ‘safe’ green icon they are used to – depending on when the SSL certificate expires. The symbol indicates that while it is a secure and encrypted connection, it has outdated security measures.
As SHA-1 is deprecated in the next year this rating will drop further, which means that sites that continue to use SHA-1 certification beyond Google’s acceptance date (31 December 2016) will no longer be able to be accessed safely. Anyone attempting to view an affected website will receive a pop up window explaining that the certificate used is no longer considered secure where their details may be at risk. The result will be huge disruption to website traffic and potential reputational damage for sites that don’t upgrade their certificates in time, as well as greater risk of an attack.
What does this mean for you?
So what do colleges and universities need to do to make sure their website remains to be considered safe?
Administrators who want to ensure internet users are able to continue securely to access their websites will need to identify all the SSL certifications used in their organisation, and go about understanding whether they are secured with SHA-1, and how long for.
Look at the expiration date of the certification – so, whether it runs for one, two or three years. To ensure your sites continue to be viewed as safe, any certificate using the SHA-1 function that expires in 2017 will need to be replaced with an SHA-256 equivalent immediately. Those that expire before 2017 will be able to apply for a certificate with the higher standard as a matter of course as part of their renewal.
For our own members who are affected by these changes we have issued 7,000 credits for certificate renewals to be claimed free of charge automatically when you obtain replacements certificates. These credits relate to all SHA-1 certificates obtained from our certificate service in 2014 that are affected by the deprecation changes. Since 13 October 2014 we have switched to SHA-256 as default, so anyone who’s renewed after this date will meet the new criteria.
In the coming year we’ll also be looking at how we can further support members in meeting their increasing security needs through high assurance extended validation certificates. Watch this space for more details, visit the community group, or contact me by emailing firstname.lastname@example.org.