21 percent of websites are still using certificates signed with the vulnerable Secure Hash Algorithm, SHA-1, an outdated encryption algorithm that has been known to be insecure since 2005.
Website security certificates help users know that they are on a safe website and that any information they send to the site should be protected. Trustworthiness is shown through the use of signals such as “Https” rather than “Http” in the website address, and a padlock symbol in the address bar of the browser.
Trust is a huge issue for internet users (after all “On the internet, no one knows you are a dog “). The Internet Society is currently exploring ways to develop greater user trust. And if trust symbols that are commonly accepted by users are found to be flawed that could cause enormous damage to web commerce.
Enter Venafi Labs who have shown that many companies have failed to replace the out-dated SHA-1 security standard with the more secure SHA-2 standard. This means that users arriving at websites they think are safe may be shown a warning sign:
Warning notice in a Chrome browser triggered by an insecure securty certificate such as SHA-1
This warning is triggered because an out-dated security standard is being used. That might not matter if the standard was still secure. But it isn’t. On February 23, 2017, Google affiliated security researchers announced they cracked the SHA-1 security standard using a collision attack. The incident proved that the deprecated cryptographic secure hash algorithm still used to sign many website digital certificates can be manipulated.
Venafi have warned that web transactions and traffic may be disrupted in a variety of ways due to use of insecure SHA-1 certificates:
- Browsers will display warnings to users that the site is insecure, prompting users to look for an alternative site.
- Browsers will not display the ‘green padlock’ on the address line for HTTPS transactions; consumers rely on this icon as an indication that online transactions are secure and private.
- Sites may experience performance problems; in some cases, access to websites may be completely blocked.
In addition to the serious impact on user experience, websites that continue to use SHA-1 certificates are likely to experience a significant increase in help desk calls and a reduction in revenue from online transactions as users abandon websites due to security warnings.
You can check whether your website is using SHA-1 here.
Venafi is a leading cybersecurity company that secures and protects the cryptographic keys and digital certificates every business and government depends on for secure communications, commerce, computing, and mobility.
In February 2017, the Venafi Labs research team analyzed data on over 33 million publicly visible IPv4 websites using Venafi TrustNet™, a proprietary database and real-time certificate intelligence service. This research discovered that over 1 in 5 certificates for unique IP addresses are still using SHA-1 as the signature hash algorithm.
Photo copyright amanaimagesRF under licence from Thinkstockphotos.co.uk