WHAT YOU NEED TO KNOW ABOUT THE FUTURE OF SHA-1
Technology advances at a rapid pace, with new and improved hardware and software replacing outdated counterparts with ever-increasing frequency. Even long-standing technologies like hash algorithms are subject to this onward march of time, as is the case with SHA-1 (Secure Hash Algorithm), which had been in use for more than a decade at this point.
Although there are several alternatives to SHA-1, it is still in use by many organizations for identification purposes. Unfortunately, SHA-1 has been deemed a possible security risk, and several browser makers (including Google, Microsoft, and Mozilla) have declared their intentions to stop accepting SHA-1 SSL certificates. Mozilla Firefox announced plans to phase out SHA-1 in January 2017, while Microsoft Edge will follow suit in February 2017.
What does this mean for SHA-1 users with devices that don’t support the recommended upgrade to SHA-256? Is a SHA-1 update a possible solution? How can you remain in compliance and continue appearing on browsers?
Here’s what you need to know about SHA-1 moving forward.
Why is SHA-1 a Security Risk?
As any technology ages and becomes outdated, it may suffer from an inability to keep up with newer technologies and
new attack techniques leveraged by advanced computing power.
This is the case of SHA-1, which has largely been supplanted by coding that is mathematically and technologically superior.
Specifically, SHA-1 is vulnerable to a variety of attacks. Hackers that exploit SHA-1 weaknesses could install fake certificates, spoof users accounts or content in order to execute both phishing scams and man-in-the-middle attacks. It is for this reason that Microsoft, Mozilla, and others are phasing out SHA-1 certificates.
In some cases, users will only receive a warning that the connection is not safe, after which they may choose whether or not to proceed. In others, they may be unable to access content that relies on a SHA-1 certificate. This leaves businesses in the position of having to decide whether to perform a pricy upgrade to new technologies or determine whether a SHA-1 update can solve the problem.
Why Keep SHA-1?
For any business, the bottom line is always a major consideration, and technology upgrades can be extremely pricy, especially where essential infrastructure is concerned. For some companies, the problem lies in legacy servers and devices that do not support upgrades to newer technologies like SHA-256 SSL.
This would mean not only upgrading software, but also hardware, and this can prove a hardship for some businesses operating on the web. These entities need a solution that allows them to continue using SHA-1 until such time as they are able to perform upgrades, without suffering deprecation by the vast majority of browsers.
Is a SHA-1 Solution Still Available in 2017?
The answer to this question is yes. Secure 128, in concert with Symantec, offers a SHA-1 SSL solution that includes a private CA SHA-1 certificate. This will allow businesses to continue securing communications between legacy devices that rely on SHA-1 but don’t require browser access.
Both Microsoft and Mozilla are urging SHA-1 users to upgrade to approved products that are more secure, but for companies that need more time to switch over, the SHA-1 Private CA alternative provides the best interim solution.