DALLAS—(Oct. 08, 2014)—Entrust is taking the guesswork out of SHA-2 migration. A leading provider of identity-based security solutions, Entrust is offering organizations advanced cloud-based tools to help them migrate from outdated SHA-1 SSL certificates to the new SHA-2 cryptography standard.
With industry deadlines from vendors such as Microsoft, Google and Mozilla fast approaching, failure to upgrade to SHA-2 SSL certificates in a timely manner will result in end-users receiving security warnings and browsers not displaying content properly. This also may lead users to leave websites, abandon transactions and raise concerns over online privacy, identity theft and a brand’s focus on security.
“Whenever there’s a global change to technology and security standards, organizations are tasked with new challenges and tight deadlines,” said Dave Rockvam, senior vice president of Entrust. “Because of the associated risks and ramifications, it’s critical to implement careful strategies for migration to SHA-2 SSL certificates. It’s not just websites that are affected, but software, applications and operating systems as well.”
Cloud Management, Scanning Helps Automate SHA-2 Migration
For organizations using tens, hundreds or thousands of certificates across their environment, identifying and migrating them can be a costly, time-intensive process. To help mitigate this multi-month process, Entrust offers innovative cloud-based certificate managementand scanning tools to find, examine, manage and renew SHA-1 certificates as part of a systematic SHA-2 migration plan.
Entrust® IdentityGuard Cloud Services includes new custom views that offer real-time details into affected certificate types and the order in which to renew. This helps organizations plan their migration path across several months, disseminating costs and reducing management challenges. Also included are SSL scanning tools to identify SHA-1 SSL certificates and locate where they are installed — regardless of certificate vendor. IT administrators can build customer dashboards to help them monitor the migration process.
Risks, Considerations during SHA-2 Migration
A number of factors are driving the elimination of SHA-1, ranging from compliance with U.S. NIST and PCI standards, to the technical rejection of certificates in Microsoft’s operating systems and Google’s popular Chrome browser.
The widespread adoption of SHA-1 by systems requiring hashing functions will contribute to the difficulty of SHA-2 adoption. The wide spectrum of possible crypto devices, applications and systems demand a variety of management and upgrade paths. The most difficult consideration of this process is that not everything that uses SHA-1 is compatible with SHA-2.
“It’s very important to migrate away from SHA-1 in a timely manner, as this hash standard is getting easier to break,” said Ivan Ristic, director of Application Security Research at Qualys, in charge of SSL Labs. “If the industry delays the migration, we may find ourselves under attack with no feasible defense options — similar to what happened with MD5.”
This migration process could affect hardware, applications, cloud services, operating systems, browsers and more. Some solutions for updating legacy systems and applications may be time-consuming, challenging and expensive.
Failure to migrate to SHA-2 SSL certificates will result in a downgrade of the SSL session on the site, likely causing users to abandon a site or transaction, or call support services such as helpdesks or customer service. System outages — if certificates are inappropriately replaced — are also a possibility.
One of the core components of this process is understanding upcoming dates and how each milestone affects the customer experience.
- November 2014: SHA-1 SSL certificates expiring any time in 2017 will show a warning (via a change in the domain name display) in Google Chrome.
- December 2014: SHA-1 SSL certificates expiring after June 1, 2016 will show a warning (via a change in the domain name display) in Google Chrome indicated by a yellow triangle.
- January 2015: SHA-1 SSL certificates expiring any time in 2016 will show a warning in Google Chrome.
- January 1, 2016: CAs must stop issuing new SHA-1 SSL and code-signing certificates. Microsoft will stop trusting SHA-1 code-signing certificates without time stamps.
- January 1, 2017: Microsoft will stop trusting SHA-1 SSL certificates.
Are You Affected?
If you manage, oversee, operate or otherwise secure a website, operating systems, application or browser that relies on SSL encryption, you likely need to take action. The deprecation of SHA-1 affects roles across the enterprise, including CISOs, enterprise network security professionals, IT directors, network administrators, SaaS product managers, online service marketers, owners or operators of consumer-facing websites, application managers and developers, managed security services providers and more.
Why the Change to SHA-2?
Google recently announced a plan to degrade the user experience for SHA-1 certificates in the popular Chrome browser — nearly two years ahead of schedule. SHA-1 cryptography — a key security component in the issuance and use of digital certificates — is being retired and will require organizations to migrate to more advanced SHA-2 new certificates. SHA-1, which is known to have weaknesses in collision resistance, can be exploited by attackers to generate and install a fake certificate.
Moving forward, visitors to sites without SHA-2 SSL certificates will see progressively serious security warnings about the security, which will likely increase session abandonment and affect overall brand trust.
About Entrust, part of Datacard Group
Entrust offers software authentication platforms that strengthen security in a wide range of identity and transaction ecosystems. Government agencies, financial institutions and other enterprises rely on Entrust® solutions to strengthen confidence and reduce complexity for consumers, citizens and employees. Now, as part of Datacard Group, Entrust offers an expanded portfolio of solutions across more than 150 countries. Together, Datacard Group and Entrust issue more than 10 million secure identities every day, manage billions of secure transactions annually and issue a majority of the world’s financial cards. For more information about Entrust® solutions, call 888-690-2424, email [email protected] or visit www.entrust.com.