We’re about to enter the exciting world of the SSL industry. Before you fall asleep or decide to take a pass, spend 27 seconds reading the next section — it summarizes all you need to know about a big change on the horizon for some SSL certificates.
Google says sayonara to SHA-1
“Most of the secure web is using an insecure algorithm, and Google’s just declared it to be a slow-motion emergency.” ~ Eric Mill, konklone.com
Google® is making a shift in their Chrome™ Web browser to phase out any SSL certificates which use an old encryption algorithm (SHA-1) and expire after Dec. 31, 2015. (Learn more about how SSL works here.) While that algorithm hasn’t been cracked, it’s becoming weaker with age and, as an industry, we want to make sure the Internet stays safe.
So, starting in about 10 weeks, Google Chrome is going to start displaying warnings to visitors of websites that continue using the affected certificates. If your website is using an SSL certificate with SHA-1 that is valid past 2015, ask your Certificate Authority to provide you with a replacement cert with SHA-256 encryption.
Why is this happening?
Strong encryption makes it practically impossible for someone to find out what is being transmitted without having the keys to what is being sent. When properly implemented, it does an excellent job of keeping unwanted eyes from seeing the information. As technology advances, encryption mechanisms must also be improved.
SHA-1 is the latest algorithm under attack. While there have been no known compromises, it’s only a matter of time. Renowned cryptologist Bruce Schneier predicted that the cost of a successful attack against SHA-1 will be down to $700K in 2015, well within the reach of a determined adversary. Collectively, SSL certificate providers and Web browsers agree that we need to remove the certificates using SHA-1 from the Internet to increase protection of websites and their visitors.
How do I know if I have a SHA-1 cert?
You can run a number of SSL tests online. One example is https://www.ssllabs.com/ssltest. You can also check directly within your favorite browser by clicking on the lock icon and examining the certificate details.
How do I fix my website?
Fixing your website shouldn’t be too difficult. For the vast majority of customers, asking your Certificate Authority to provide you with a new certificate that uses SHA-2 (the new algorithm), and then installing it, is all you need to do. GoDaddy’s Web hosting customers will be automatically updated. Customers using GoDaddy certs on their own servers will need to re-key their certificates. You can find those instructions here.
What happens if I keep my SHA-1 certificate?
First of all, don’t. Plain and simple. You need to re-key your certificate as soon as possible.
To incentivize SSL certificate owners to move to SHA-2 encryption, Google has outlined a number of phases for its Chrome browser to handle SHA-1-encrypted sites. In short, users will receive increasingly worrying error messages about the site. You can find details about all of Google’s plans to move away from SHA-1 here.
We’re interested in keeping the Internet safe for everyone, and as a SSL certificate owner, we thank you for taking action.
Learn about the four types of SSL certificates available.