THANKS FOR GETTING IN TOUCH

We aim to respond to all messages within 1 business day. You'll be hearing from us soon!

In the meantime, perhaps you'd like to learn more...

EXCITING!

We'd love to help you get your next digital project off the ground.

HOW CAN WE REACH YOU?

*Required Fields
*
*
*
*

HOW CAN WE HELP YOU BE SMARTER ONLINE

*
CLOSE
 

Your Secure Certificate may not actually be very secure

October 24, 2014

If you have an Ecommerce website, then you likely have a Secure (SSL) Certificate installed for encrypting confidential information as it is transmitted over the Internet. There is a high likelihood that this certificate is using the SHA-1 cryptographic hash algorithm to encrypt and decrypt this information. Think of SHA-1 being like the key used to lock (at the sending end) and unlock (at the receiving end) a data packet containing secure information, such as credit card details.

Since about 2005, it has been known that SHA-1 is considerably weaker than it was originally designed to be, which led Microsoft to create a SHA-1 deprecation policy in November 2013 providing 3 years notice to phase out SHA-1. Certification authorities (CAs) must stop issuing new SHA-1 SSL certificates by January 1, 2016 and Windows will stop accepting SHA-1 certificates by January 1, 2017.

Google recently announced that they are fast tracking a SHA-1 sunset policy in their popular Chrome Browser, beginning with the release of Chrome 39 in November 2014. The Google Chrome policy change will roll out over three releases of the browser, resulting in progressively degraded HTTPS security indicator (e.g. the padlock symbol and green-bar) for SHA-1 signed certificates that meet certain criteria. Ultimately from Chrome 41 (Q1 2015), there will be an insecure site warning for all SHA-1 signed certificates that expire after January 1, 2017.

We had a feeling this change could come sooner than expected, so Apex Digital have only been issuing SHA-2 certificates since May 2014. Further, we have a policy of only issuing 1-year certificates for precisely this reason. While renewing certificates annually results in a lot more work for us, it ensures that our clients’ websites are always up to date with current SSL security advances.

As a result of our forward thinking, we’re proud to say that none of our clients’ websites will be affected by this Google Policy update; however, if you or anyone you know have websites with other providers, now would be a good time to ask what they are doing to address this issue.

 Further reading: http://googleonlinesecurity.blogspot.ca/2014/09/gradually-sunsetting-sha-1.html

 

^ top
Filed under Design & Development

Written by

David founded Apex back in 1997. He has a Bachelors Degree from Auckland University and a post Graduate Diploma in Operations Management. As Managing Director David's role is incredibly varied but tends to focus mainly on technical issues that crop up from time to time around Server Admin, Network Management and Email and Domain related events.

Related posts

Leave a comment

Fields marked * are required

ARE YOU READY TO BE SMARTER ONLINE TOO?WANT TO GET STARTED?
HERE'S HOW
YES

AWESOME! LET'S GET STARTED

TELL US HOW WE CAN HELP

THANKS FOR GETTING IN TOUCH

We aim to respond to all messages within 1 business day. You'll be hearing from us soon!

In the meantime, perhaps you'd like to learn more...

Our friendly team can be reached Monday - Friday from 8.30am to 5.00pm.
Fill in your details below and we'll get back to you lightning fast.

* *
* *
*
*
*
*Required Fields