We’re in the final days of what are loosely known as SHA-1 SSL certificates. In certificates of this sort, the cryptographic hash or “message digest” that is used as a digital fingerprint is caclulated, as the name suggests, using the SHA-1 algorithm.
To be a cryptographic hash, rather than just a plain old checksum, an algorithm needs to create a fingerprint that is genuinely hard to forge. In other words, if I take a message M and create a digital fingerprint by calculating f(M) = X, you shouldn’t be able to go backwards from X and figure out anything about M.
You shouldn’t be able to come up with a message of your own, N say, such that f(N) is also X. And you shouldn’t be able to come up with two different messages that have the same fingerprint, where f(A)= f(B) but A is not equal to B.
Unless these conditions are met, the hashing function f() simply isn’t safe enough to use as any sort of digital fingerprint and therefore has no place in cryptography.
If you can deliberately create a collision, for example by coming up with a second message that has the same fingerprint as the contract I am trying to hold you to, then even if your alternative message is garbage you can repudiate my claim by showing the fallibility of the signature that I am relying on.
And recent cryptographic advances have shown that the SHA-1 algorithm is nowhere near as strong as it is supposed to be. Even though no one has yet created a forged SSL certificate by constructing SHA-1 collisions (that we know of), many experts have long considered the risk sufficiently high that it should be considered inevitable. In other words, the SHA in SHA-1 can no longer be considered to stand for “secure hash algorithm.”
Sronger variants of the SHA-1 algorithm, such as SHA-256, have existed for years and are just as easy to use. Therefore there is no reason to keep on using SHA-1 SSL certificates when they can easily be replaced with more secure ones.
As a result, we have timelines from the likes of Apple, Microsoft, Google, and Mozilla as to when their browsers will stop trusting websites that still uses SHA-1 SSL certificates. For those keen on security, the news is good because the end is near:
- Google Chrome: At the end of January next year, with the release of version 56, Chrome will stop trusting any SHA-1 SSL certificate and will provide a security warning.
- Mozilla Firefox: With the release of Firefox 51 in January, the browser will show an “untrusted connection” error warning for any site still using SHA-1.
- Apple Safari: We do not have exact dates on when Apple will officially stop trusting SHA-1 certificates. The latest release notes for MacOS urge sites to drop SHA-1 as soon as possible, and websites loaded in the Sierra version already do not show the green padlock that indicates a trusted site.
- Microsoft Internet Explorer and Edge: Starting on February 14, websites still using SHA-1 will get a rather unpleasant Valentines Day gift: the browsers will not load their websites whatsoever, though users can still opt to continue to the website after seeing a warning message.
(It should be noted in many of these cases, manually installed or self-signed certificates with SHA-1 fingerprints will still be supported.)
Websites still using SHA-1 certificates have had a number of high-profile warnings to make the switch, including the Heartbleed vulnerability, which forced many sites using SSL to deploy new certificates as a matter of course – a perfect opportunity to use a stronger digital fingerprint algorithm at the same time.
Indeed, there have been calls for SHA-1 to be dropped from use as far back as 2005. In 2012, NIST updated its security guideline in Special Publication 800-57, recommending the deprecation of SHA-1 as a standard. And in 2014, when Google stated it would actively penalize websites still using SHA-1 in SSL certificates after 2016.
And with the end of 2016 upon us, the deadline threat is very real. Thankfully it looks like most websites have got the message – Mozilla estimates fewer than 1% of websites are still using SHA-1 SSL certificates today, even though other estimates estimate that as a third of the web still does.
Whatever the figure, their days are numbered.
Anonymous
“depreciation” ??? – surely you meant “deprecation”.
Paul Ducklin
Er, yes, we did :-)
Glendon Gross
This is one of the better explanations of the deprecation of SHA-1 that I have read. Somebody needs to explain to users why their older browsers will no longer allow them to connect to secure sites. You have done a good job of putting the cryptographic discussion in plain English.