CIS CYBER ALERT

DATE ISSUED:
02/24/2017 - Updated

SUBJECT:
SHA-1 End of Life

Major browser developers Microsoft, Google, and Mozilla have announced that beginning in 2017 users visiting websites with a SHA-1 certificate will be unable to connect to those sites. Previously security researchers demonstrated that malicious actors would soon be able to crack SHA-1 encryption in a short period of time. Over the last two years, browser developers and Certificate Authorities (CAs) have taken actions to phase-out SHA-1 in favor of the stronger SHA-2 algorithm. As of December 31, 2015, SHA-1 certificates were no longer issued by CAs.

SHA-1 is a cryptographic hashing algorithm for validating TLS/SSL certificates for encrypted browser sessions.

In a survey by MS-ISAC’s Vulnerability Management Program, a number of state, local, tribal, and territorial (SLTT) government domains were observed using SHA-1 signed certificates, as of November 28, 2016.

UPDATED:
On February 23, 2017, a team of researchers from CWI Amsterdam and Google revealed the discovery of a practical technique for generating a SHA-1 collision and released proof in the form of two different documents, which generate a collision when hashed using SHA-1. This proof coincides with the scheduled deprecations of SHA-1 by major Internet browsers.
· Firefox – Firefox stated that on February 24 they will finish their gradual phase out of SHA-1 certificates for Firefox users. Firefox 52, the most current version, rejects SHA-1 certificates by default.
· Google Chrome – Google Chrome 57, released on January 26, removed support for SHA-1 certificates.
· Microsoft – By mid-2017, Microsoft Edge and Internet Explorer will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Additionally, the next release of Windows 10 will block SHA-1 by-default in the browser.


In a survey by MS-ISAC’s Vulnerability Management Program, a number of SLTT government domains were observed using SHA-1 signed certificates, as of February 24, 2017.

RECOMMENDATIONS:
MS-ISAC recommends organizations inventory their servers to determine if SHA-1 certificates are currently securing the connections to those servers and develop a proper migration plan to ensure those certificates are upgraded appropriately.

UPDATED:
Website owners can check their website certificate algorithms at http://sha1affected.com/.

REFERENCES:
https://blogs.windows.com/msedgedev/2016/11/18/countdown-to-sha-1-deprecation/
https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html
https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/

UPDATED REFERENCES:
https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
https://blog.mozilla.org/security/
https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html
https://blogs.technet.microsoft.com/yurikasensei/2016/11/29/sha1-users-guide/