Google Chrome will flag up websites with SHA-1 SSL certificates as insecure – and that's a huge policy change which ought to kick businesses into action, says an expert in digital certificates.
Only 15 per cent of sites use SHA-256 certificates, the replacement for SHA-1, according to stats from SSL Pulse. This means plenty of work needs to be done before Google's policy changes comes into effect in 2016, according to Ivan Ristic, director of engineering at cloud security firm Qualys.
Although the first signs of weaknesses in SHA-1 appeared almost ten years ago, it was only in 2012 that breaking SHA-1 became feasible, at least for those with deep pockets prepared to throw specialist hardware at the problem. In November 2013, Microsoft announced it wouldn't be accepting SHA-1 certificates after 2016. Google followed suit last week by saying its web browser will start declaring HTTPS sites as insecure if they use SHA-1 certificates that expire during 2016 and after.
Ristic has put together a blog post explaining how businesses should deal with this change. This includes a step-by-step guide for professionals, as well as how to overcome the most common problems.
"Before this most recent development, the advice was very simple: don't use SHA1 certificates past 2016," Ristic explained. "Google's decision complicates things: now it's no longer safe to use SHA1 (with Google Chrome) even during 2016. For some sites there won't be a satisfactory outcome no matter what they do: if they want to maintain an error-free presence with Chrome they might need to cut off some older clients." ®