Understand SHA-1 Algorithm Weakness As Per Google Standards
The software giant Google© has made a crucial decision about deprecating SHA-1 signature algorithm in their extremely popular Chrome browser in order to strengthen the security of the Internet.
Google© has always taken strong actions when it comes to users’ data protection on the Internet. This time, for the sake of Internet security, they have planned to stop trusting the SHA-1 algorithm, which might be susceptible to several cyber-attacks due to inability to keep up with the latest techniques used by the hackers. Google© has been putting in the best efforts to build secure measures for its users.
So it looks like it is finally about time to say good bye to the SHA-1 signature algorithm due to this major modification from Google. So, let’s take a quick look at these changes and how the users need to manage website security based on these developments.
- What is SHA-1 signature algorithm?
SHA stands for “Secure Hash Algorithm” and the version SHA-1 works on the single hash function, which is known to be vulnerable according to many web security experts.
- What is SHA-2 signature algorithm?
SHA-2 is the latest version in SHA Algorithm history, and it is the next generation SHA-2 signature algorithm, which includes multiple hash functions to protect user’s data while exchanging them on the Internet.
- Is it safe to use SHA-1?
The vulnerabilities of SHA-1 are very well known and have been demonstrated many times over. In a practical live environment, it is still safe to use the SHA-1 signature algorithm. However, as per critics and SSL experts, SHA-1 will create security vulnerabilities in near future on the Internet. For that reason, best practices do not recommend SHA-1.
- What if my existing SSL certificate is SHA-1?
If your certificate is based on SHA-1 algorithm, it is very easy to get it exchanged for a SHA-2 certificate. All you need to do is re-issue your SSL certificate by choosing the algorithm as SHA-2.
- Which Certificate Authorities (CAs) have this new SHA-2 algorithm?
There are plenty of SSL certificate vendors on the Internet but it gets very difficult to find out exactly which CA has migrated all its SSL certificates and Code Signing Certificates to SHA-2 signature algorithm. We have carried out a little research on this and found that Symantec™, GeoTrust®, Thawte™, and RapidSSL™ offer Low Price SSL certificates with SHA-2 algorithm and technical support by the team of experts.
- What is the difference between SHA-1 and SHA-2 algorithm?
SHA-1 signature algorithm works on a single 128-bit hash function, whereas SHA-2 signature algorithm works on multiple hash functions.
SHA-2 signature algorithm is stronger than SHA-1 because it has multiple hash function such as SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256 and out of them SHA-256 bit is widely established and more demanded hash function algorithm. The suffix numbers indicate bit length. So SHA-2’s full set of functions are higher bit-length than SHA-1 and therefore are more secure.
- What is Google’s preparation for the elimination of SHA-1?
Here is how the upcoming versions of the Google Chrome browser shall react to a SHA-1 SSL certificate.
- Chrome 39 – Public release in early November 2014
Websites secured by SHA-1 certificates that expire in 2017 or later, on this version will be treated as ‘Secure, but with minor errors’. A small yellow triangle on the padlock will be displayed on the URL as shown below:
- Chrome 40 – Branch Point – November 7 2014 & Stable after Holiday Season
Websites with SHA-1 SSL certificates expiring between June 1 2016 to December 31 2016 will trigger the ‘Secure, but with minor errors’ warning as mentioned above.
And the websites secured with SHA-1 SSL certificates expiring on or after January 1 2017, will be treated as ‘neutral, lacking security’. In this, the padlock will be replaced by a blank page icon, as shown in the image below:
- Chrome 41 – Branch Point – Q1 2015
All the websites relying on SHA-1 SSL certificates expiring between January 1 2016 to December 31 2016 will trigger the ‘Secure, but with minor errors’, as described above.
And all SHA-1 SSL certificates expiring on or after January 1 2017 will be treated as ‘affirmatively insecure’. In this, a red cross and red strike-through is displayed on the URL, as shown in the image below:
Here is an easy-to-follow chart that shall help you understand the result of the browser-SSL interaction under Google’s new policies:
|Chrome Beta Version Dates
up to Dec 31 2015
Jan 1 2015 to Dec 31 2015
Jun 1 2016 to Dec 31 2016
Jan 1 2017
|Advisable Signature Algorithm
|Chrome Version 39 Sept 2014
|Chrome Version 40 Nov 2014
|Chrome Version 41 01 2015