SHA-1 certificates – what your ecommerce customers need to know

SHA-1 certificates – what your ecommerce customers need to know
0 Shares

By Natasja Bolton, Senior Acquirer Support

In 2015 use of the 20 year old SSL security protocol for encryption of sensitive data in transmission was deprecated (in PCI DSS v3.1) to encourage ecommerce businesses to migrate to TLS (Transport Layer Security). 

 

In 2016, further technology changes are underway that will impact those of your customers that secure their ecommerce website with TLS certificates signed using the even older SHA-1 hashing algorithm.

 

What is SHA-1 and why is support for it ceasing?

SHA-1 is a hashing algorithm used to sign digital certificates by certificate authorities, the trusted entities that issue the TLS certificates used to verify a website’s identity on the Internet.  However, the SHA-1 hashing algorithm is known to be weak due to advances in cryptographic attacks and the calculating power of today’s computers. 

 

As a result both the certificate authorities and the browser vendors have taken action to deprecate the use of SHA-1 based certificates.

 

What does this mean for your customers?

What this means for businesses protecting their ecommerce websites using SHA-1 signed SSL or TLS certificates, is that their customers could be warned that their connection to the business’ website is ‘untrusted’ or ‘insecure’. The customer’s web browser may even block the connection entirely.

 

As Netcraft points out, many thousands or even millions of websites are still using valid SHA-1 signed digital certificates. Although most certificate authorities ceased issuing SHA-1-based certificates at the beginning of 2016, historically SHA-1 was the most commonly used hashing algorithm.

 

It is only since 1st April 2015 that certificate authorities have been prohibited from issuing certificates with a validity period longer than 39 months; before that validity periods could be up to 4 or even 5 years.

 

As a result, businesses issued with SHA-1 signed SSL or TLS certificates with years to go until their expiry will not be requesting re-issues of their certificates from their certificate authority, and moving to SHA-2 signed certificates, anytime soon.

 

Action is therefore needed to raise awareness among your online and ecommerce businesses to make sure that they do not lose custom as consumer browsers cease their support for SHA-1 signed certificates. In addition, the PCI DSS itself does not consider SHA-1 to be a secure or acceptable hashing algorithm. 

 

PCI DSS regards strong cryptography to be based on industry-tested and accepted algorithms, referencing NIST Special Publication 800-57 Part 1. The current release of NIST 800-57 indicates that SHA-1 is no longer approved for generating digital signatures. 

 

Therefore, for PCI DSS compliance not only do ecommerce businesses need to make sure they migrate away from use of SSL and early TLS (by end June 2018), they also need to make sure that their TLS certificates use the SHA-2 hashing algorithm.

 

Webpage URL

Find out more about our PCI DSS compliance services by clicking the button below

LEARN MORE

What is changing?

Weaknesses were identified in the SHA-1 algorithm as early as 2005 but it is only in recent years that browser vendors have taken action to address these concerns. Calculations in 2012 showed that it was becoming increasingly likely that attackers would be able to forge a certificate that could allow them to impersonate the identity of a real website and intercept its encrypted traffic.

 

In light of these weaknesses and the potential for their exploitation, in November 2013 Microsoft was the first to announce that it would stop support for SHA-1 certificates after 2016. Other browser vendors were quick to follow suit to, stating that they would stop support for SHA-1 certificates and would start displaying warnings for sites using SHA-1 signed certificates.

 

The most recent position for common consumer web browsers:

 

DateImpact on Consumer Browsers
PresentGoogle Chrome: 

  • Will show a warning for SHA-1 signed SSL or TLS certificates expiring any time in 2016
  • Will show a certificate error for SHA-1 signed  SSL or TLS certificates issued after 1st January 2016

Mozilla Firefox:

  • Will show a certificate error ‘untrusted connection’ for SHA-1 signed SSL or TLS certificates issued after 1st January 2016
1st July 2016Microsoft Edge and Internet Explorer:

  • Will end trust for all SHA-1 signed  SSL or TLS certificates (browser address bar padlock removed); website will continue to work
1st January 2017Google, and Mozilla:

  • Will end trust for all SHA-1 signed SSL or TLS certificates*.  The browser will treat the site as it does other untrusted certificates (e.g. self-signed, expired), the site will be blocked from loading.
14th February 2017Microsoft Edge and Internet Explorer:

  • Will block all SHA-1 SSL or TLS certificates.  The browser will treat the site as it does other untrusted certificates (e.g. self-signed, expired), the site will be blocked from loading.

 

 

* Both Mozilla and Google are considering moving this date up to 1st July 2016, in light of the ongoing research into SHA-1 attacks.

 

The latest information can be found at:

For businesses wishing to understand what these SHA-1 certificate browser warnings and errors look like to the consumer, badssl.com has set up two test websites:

 

Certificate signed using SHA-1 and expiring on 29th December 2016

 

Certificate signed using SHA-1 and expiring on 5th January 2017

 

How do businesses know whether their ecommerce website is affected?

The quickest way for a business to find out whether their ecommerce website is using a SHA-1 signed SSL or TLS certificate is to input their website URL or domain name into a scanning and discovery tool.  There are many freely available including:

 

What do business need to do if their ecommerce website is using a SHA-1 signed certificate?

Firstly, it is worth noting that although SHA-1 has known weaknesses and exploits have been developed, due to the cost of exploitation to hackers, the SHA-1 hashing algorithm is still safe to use.  However, SHA-1’s long-term ability to stand up to attacks is questionable and diminishing consumer browser support means businesses need to take action now. 

 

In simple terms, that action is to upgrade their websites to SHA-2 signed digital certificates.  Many certificate authorities support unlimited free re-issues of their certificates so it can be easy for businesses to replace a SHA-1 signed certificates with a SHA-2 certificate.

 

The recommended approach is for businesses to:

 

1. Ensure any new TLS certificates use SHA-2.
2. Inventory existing SSL or TLS certificates
3. Check for SHA-2 support in their environment
4. Check for SHA-2 support in the consumer population
  • The majority of modern browsers support SHA-2 but older versions of browsers may have compatibility issues.  Businesses should consider using web analytics to understand browser use in their consumer population and take steps to notify them of the need to upgrade.  Reminding consumers of the security benefit of upgrading to the latest technologies can help to encourage them to take action.
5. Replace certificates in expiry order
  • Start with certificates used on the business’ most important sites and those that expire after 2016. Those will be the worst affected by the changes and might stop working in 2017.
  • Then work back to replace any remaining certificates.

 

 

We are helping clients to reach out to their customers who are using SHA-1 signed SSL or TLS certificates, educating and warning that their business’ website connection is ‘untrusted’ or ‘insecure’.

 

Using our scalable, on-demand merchant support service, Merchant Contact Services we provide acquiring organisations with a range of inbound and outbound contact services, including tailored compliance outreach programmes. For more information request a call back or email info@sysnetgs.com

 

Like this Article?

Subscribe to receive more tips & news about Cyber Security, Compliance and a lot more!

  • Sysnet Global Solutions will use the information you provide on this form to be in touch with you regarding non-promotional as well as promotional material by email and phone. If you agree to same, then please select the ‘I consent’ box after reading the terms and conditions listed below in relation to consent. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, update your preferences for communications, content etc. by clicking on the update my preferences button in any email we send you or by contacting us at marketing@sysnetgs.com We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Pardot as our marketing automation platform. By clicking below to submit this form, you acknowledge or agree that the information you provide will be transferred to Pardot for processing in accordance with their Privacy Policy and Terms