CIS CYBER ALERT
02/24/2017 - Updated
SHA-1 End of Life
Major browser developers Microsoft, Google, and Mozilla have announced that beginning in 2017 users visiting websites with a SHA-1 certificate will be unable to connect to those sites. Previously security researchers demonstrated that malicious actors would soon be able to crack SHA-1 encryption in a short period of time. Over the last two years, browser developers and Certificate Authorities (CAs) have taken actions to phase-out SHA-1 in favor of the stronger SHA-2 algorithm. As of December 31, 2015, SHA-1 certificates were no longer issued by CAs.
SHA-1 is a cryptographic hashing algorithm for validating TLS/SSL certificates for encrypted browser sessions.
In a survey by MS-ISACâ€™s Vulnerability Management Program, a number of state, local, tribal, and territorial (SLTT) government domains were observed using SHA-1 signed certificates, as of November 28, 2016.
On February 23, 2017, a team of researchers from CWI Amsterdam and Google revealed the discovery of a practical technique for generating a SHA-1 collision and released proof in the form of two different documents, which generate a collision when hashed using SHA-1. This proof coincides with the scheduled deprecations of SHA-1 by major Internet browsers.
Â· Firefox â€“ Firefox stated that on February 24 they will finish their gradual phase out of SHA-1 certificates for Firefox users. Firefox 52, the most current version, rejects SHA-1 certificates by default.
Â· Google Chrome â€“ Google Chrome 57, released on January 26, removed support for SHA-1 certificates.
Â· Microsoft â€“ By mid-2017, Microsoft Edge and Internet Explorer will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Additionally, the next release of Windows 10 will block SHA-1 by-default in the browser.
In a survey by MS-ISACâ€™s Vulnerability Management Program, a number of SLTT government domains were observed using SHA-1 signed certificates, as of February 24, 2017.
MS-ISAC recommends organizations inventory their servers to determine if SHA-1 certificates are currently securing the connections to those servers and develop a proper migration plan to ensure those certificates are upgraded appropriately.
Website owners can check their website certificate algorithms at http://sha1affected.com/.