Attention: SHA-1 SSL certificates soon to be deprecated in Chrome
Are you still using an outdated SHA-1 certificate for the secure connection to your website? Beware, because Google will soon spring an unpleasant surprise on your visitors!
Computers are getting more powerful by the day. The ordinary computer the average civilian owns at home is countless times stronger than those huge computer rooms you saw in large companies in the seventies and eighties. But this has its consequences. While SHA1 (Secure Hash Algorithm), a hash function that was created in 1993, could only be cracked using advanced computers at that time, it can very well be cracked by contemporary computers, provided you give them a little push.
That is why, for the newest SSL certificates, the harder to crack SHA256 function is used. And of course it is necessary that everybody – suppliers of certificates (Certificate Authorities) and websites alike – becomes conscious of the need to deliver and implement only those certificates from now on.
Google already announced a measure that aims to make website administrators aware of the problem – obviously without scaring users off too much. When a user in the following version of the Chrome browser (42 beta) visits a secured website that still uses SHA-1 and of which the certificate expires in 2016 or later, he will still be able to gain access to that site, but he will also see a warning that the certificate no longer protects him.
Announced for a while but implemented faster
Google had announced earlier that it was considering such a measure, but the expected timeframe for the concrete implementation was originally longer; the Chrome Browser was not to start showing this warning before 2016. Recently, however, Google announced that SHA-1 certificates that expire in the year 2016 will also be targeted.
This announcement sparked a wave of panic among the many system administrators. Indeed, no website can afford to worry users, who simply expect a secure website to protect them when they make a purchase on it. If they get this warning in the address bar of their browser, the odds are high that they will abandon their shopping cart. Nevertheless, in September 2014, only 15% of all websites were using SHA-256 yet.
What should you do concretely?
If you purchased a SSL certificate via Combell, you actually do not have to do a thing. Combell indeed anticipated this evolution and has been providing SHA-256 certificates exclusively for a while. Older certificates purchased via Combell are updated in the background for free. To sum things up: as usual, Combell customers do not have to worry about a single thing. Customer service, remember?
If you are not a Combell customer, you can check very easily if your website has an SHA-1 certificate or a higher 256 certificate. Just surf with the Firefox browser to the secure section of the site, which can be identified by the ‘https’ prefix of the URL. There, you click the padlock symbol and then on ‘More information’.
Now, you get a dialogue box with a first indication of the security level. You should see the code 256 somewhere near ‘Connection Encrypted’. If you then click ‘View Certificate’ in this same dialogue box, you will see (in the next box that shows the certificate) the confirmation under ‘Common name’ that it is (or is not) an SHA-256 certificate.
If, unfortunately, you do not have a SHA-256 certificate, which is more secure, you should definitely keep an eye on this evolution and try to act as soon as possible. Maybe your hosting company does not offer the same service as Combell to point out that risk to you, let alone that it would offer you a free update to an SHA-256 certificate. You will then probably have to take action yourself and, in the worst-case scenario, pay for an update of the certificate.
Keep this experience in mind when you renew your hosting contract with that provider – price should not be the only factor that determines your choice. There are so many other aspects involved. Reliability and expertise, the up-to-date follow-up of the latest security rules and transparent communication with the customers, like you can find with Combell, are absolutely priceless!