Get a New SSL Certificate if You Have a SHA-1 Cert
Google has recently announced that they will begin the process of unsetting the SHA-1, which is commonly used on certificate signatures for the https for Google Chrome version 39 which is said to be released this coming November. Because of this, those who have the SHA-1 certificate on their browser should now obtain new SSL Certificates if they want to encourage more web users to check out their website. This is especially true for entrepreneurs who run an ecommerce business.
SHA-1 Cryptographic Hash Algorithm
The SHA-1 cryptographic hash algorithm is known to be weaker than it was when it was first designed and released in 2005 and that was nine years ago. The collision attacks made against the SHA-1 are just too affordable to be considered safe for the public to use, according to Google. The company was also expected that the attacks will eventually get cheaper. The rationale behind the Secure Socket Layer and Transport Layer Security has been explained by Chris Palmer and Ryan Sleevi respectively.
Following the Footsteps of Mozilla and Microsoft
Google’s decision is similar to what Mozilla and Microsoft did, and obviously, the company is following on the footsteps of these two giant companies. It was almost a year ago when Microsoft has announced that the Windows Explorer browser will no longer be accepting the SHA-1 certificates for the SSL by the year 2017 and just recently, Mozilla has released a statement that they too, will also not accept the SHA-1 certificates in SSL for the year 2017. In line with this, they have decided to remove some of the root certificates with 1024 bit out of its trust list.
All these companies, from Mozilla, Microsoft and Google, have taken into consideration those predictions made by the NIST or the National Institute of Standards and Technology, when they said that the digital signature algorithms that make use of the 1024 bit keys will soon be broken or might end up in serious danger to be broken in the year 2017 to 2018. This is also the reason why Google has decided to upgrade its SSL certificates to the 2048 bit keys last year.
Challenges with Demonstrating it Publicly
Both Chris Palmer and Ryan Sleevi have pointed out that it is absolutely necessary to demonstrate publicly the attack against the SHA-1 certificate, but they admitted that this can be challenging. For instance, if Chrome will decide to disable the MD5, several companies, schools, and business organizations have been affected when their proxy software, provided by leading vendors, has continued to make use of the insecure algorithms and they have been left scrambling for updates. Users who decide to make use of personal firewall software have also been affected.
In order to keep such occurrence from taking place over again, Google has revealed that the upcoming Chrome iterations will eventually begin treating SSL certificates that will include the SHA-1 based signature to be part of the certificate chain that will expire on or after January 1st of 2017, as a secure certificate, but with minor errors.