Do Your Digital Certificates Need to SHA-pe Up?
Peter Fortunato, Risk & Business Advisory Manager
December 22, 2016
There is a new year’s resolution recommended by major web browser vendors this year pertaining to encryption. Websites and digital signatures use certificates to encrypt and decrypt data, and presently some are created with either SHA-1 or SHA-2 algorithms. The problem is that SHA-1 certificates will no longer be treated as secure past January 1, 2017. This move is long overdue, since SHA-1 certificates are weak relative to today’s computing power. For example, renting servers from Amazon Web Services, a criminal organization can break SHA-1 encryption for approximately $2,000.
Public Certificate Authorities (CAs) were required to stop issuing SHA-1 certificates as of January 1, 2016, so what’s the problem? Simply put, certificates are issued for a term of up to three years. Hence, it is possible for a SHA-1 certificate to be issued on December 31, 2015 and be otherwise valid until the end of 2018.
Current statements from major web browser vendors including Mozilla, Google, and Microsoft all indicate that SHA-1 will no longer be accepted as secure after January 1, 2017. Many public websites have already updated their certificates to avoid the minor certificate warning web browsers would display starting in January 2016. However, if your organization has its own Certificate Authority server, it is critical to review the impact once browsers no longer trust SHA-1. It is also important to be mindful of any internal devices that use self-signed certificates, which are likely based on SHA-1, such as web management interfaces to servers, IP phones, help desk software, and the like.
What your organization should do:
- Educate and remind staff to not proceed to websites if the browser warns of certificate issues. There is a very real opportunity for malicious actors to defeat even the strongest security when people become complacent with ignoring warning and error messages.
- Discuss with your IT department how management wants them to handle user escalation of certificate problems. Between now and December 31, it will be important to investigate each case to ensure users are actually blocked in advance of the January 1 deadline.
What your IT department needs to do:
- Ensure websites, critical external public websites, digital signatures, and internal self-signed certificates, are using the now required SHA-2 certificate.
- Websites should migrate away from SSL to TLS, which is used to create the secure link between the server and connecting device. (Note: Current standards recommend use of TLS 1.2 with the ECDHE_RSA_WITH_AES_128_GCM and ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suites.)
- Perform a Server Certificate Test to validate the certificate and TLS settings such as the one found here and determine any steps required to correct any issues that are discovered.
- If the organization has implemented its own Certificate Authority for disk encryption, workstation and server identification, Intranets, or VPN solutions, your IT staff must review the issued certificates to ensure they meet the SHA-2 requirement.
It will be important to act soon to avoid potential disruption next year. This migration to SHA-2 may take more time than you think, and as always should follow normal change management practices.
Please contact the BNN Risk and Business Advisory team at 1.800.244.7444 if you have further questions with risks to your corporate systems.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.