1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline

In 45 days, Certificate Authorities (CAs) will no longer issue certificates using the SHA-1 cryptographic hash function, but 35% of websites still use such certificates today, a new research from Venafi reveals.

Last year, security researchers revealed that new collision attacks have significantly lowered the cost of breaking the two decade-old SHA-1 algorithm that became an Internet security standard. This prompted an industry-wide move away from the insecure crypto function and toward the much more secure SHA-2 or SHA-3, after researchers have been urging this change for years.

Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure.

Despite this push, one in three websites is still using SHA-1 certificates at the moment, Venafi says. The number is the result of an analysis of over 11 million publicly visible IPv4 websites, 35% of which face disruptions in the New Year. This also means that many website admins are either currently struggling to replace their SHA-1 certificates or are unaware that they still use such certificates and haven’t located them.

As soon as the SHA-2 migration deadline will arrive, web traffic to affected websites will be disrupted in various ways, Venafi says. Browsers will display warnings to users, informing them that the sites are insecure, and they will no longer display the ‘green padlock’ on the address line for HTTPS transactions. Performance issues are also expected, including completely blocked access to affected sites.

This will impact not only the user experience, but will also result in an increase in help desk calls and a reduction in revenue from online transactions for the affected sites. Long-term reputation damage will also occur, Venafi says.

“The results of our analysis clearly show that while the most popular websites have done a good job of migrating away from SHA-1 certificates, a significant portion of the Internet continues to rely on SHA-1 certificates. According to Netcraft’s September 2016 Web Server Survey, there are over 173 million active websites. Extrapolating from our results, as many as 61 million websites may be using such certificates,” Walter Goulet, cloud solutions ‎product manager at Venafi, commented.

Digital certificates aren’t used only to verify that the website the user connects to is legitimate, but also to determine what can and can’t be trusted during online transactions. This is of critical importance when sensitive data is transmitted, and weak certificates such as those using the SHA-1 encryption algorithm can be manipulated, researchers say.

Collision attacks on SHA-1 certificates allow cybercriminals to perform man-in-the-middle attacks on TLS connections, and the more secure SHA-2 algorithm solves these problems. However, as long as many websites still use insecure certs, users connecting to them are at risk.

“Our whole online world is predicated on the system of trust that is underpinned by these certificates; organizations have an obligation to ensure that this is fixed. Leaving SHA-1 certificates in place is a like putting up a welcome sign for hackers that says, ‘We don’t care about security of our applications, data, and customers,” Kevin Bocek, chief security strategist at Venafi, said.

He also explains that, at an average of over 23,000 keys and certificates, many organizations don’t have the necessary tools or visibility to find and replace all SHA-1 certificates in their environment. However, they have only one month and a half to come up with a plan and resolve the issue, because things will be more difficult once their websites start to break.

Related: Akamai to Kill Support for SHA-1 Certificates

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire: