Your Secure Certificate may not actually be very secure

If you have an Ecommerce website, then you likely have a Secure (SSL) Certificate installed for encrypting confidential information as it is transmitted over the Internet. There is a high likelihood that this certificate is using the SHA-1 cryptographic hash algorithm to encrypt and decrypt this information. Think of SHA-1 being like the key used to lock (at the sending end) and unlock (at the receiving end) a data packet containing secure information, such as credit card details.

Since about 2005, it has been known that SHA-1 is considerably weaker than it was originally designed to be, which led Microsoft to create a SHA-1 deprecation policy in November 2013 providing 3 years notice to phase out SHA-1. Certification authorities (CAs) must stop issuing new SHA-1 SSL certificates by January 1, 2016 and Windows will stop accepting SHA-1 certificates by January 1, 2017.

Google recently announced that they are fast tracking a SHA-1 sunset policy in their popular Chrome Browser, beginning with the release of Chrome 39 in November 2014. The Google Chrome policy change will roll out over three releases of the browser, resulting in progressively degraded HTTPS security indicator (e.g. the padlock symbol and green-bar) for SHA-1 signed certificates that meet certain criteria. Ultimately from Chrome 41 (Q1 2015), there will be an insecure site warning for all SHA-1 signed certificates that expire after January 1, 2017.

We had a feeling this change could come sooner than expected, so Apex Digital have only been issuing SHA-2 certificates since May 2014. Further, we have a policy of only issuing 1-year certificates for precisely this reason. While renewing certificates annually results in a lot more work for us, it ensures that our clients’ websites are always up to date with current SSL security advances.

As a result of our forward thinking, we’re proud to say that none of our clients’ websites will be affected by this Google Policy update; however, if you or anyone you know have websites with other providers, now would be a good time to ask what they are doing to address this issue.

 Further reading: http://googleonlinesecurity.blogspot.ca/2014/09/gradually-sunsetting-sha-1.html