Background to the SHA-1 changes
The Secure Hash Algorithm is a family of cryptographic hash functions published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS). SHA-1 is a 160-bit hash function which resembles the earlier MD5 algorithm. Cryptographic weaknesses were discovered in SHA-1, and the standard was no longer approved for most cryptographic uses after 2010.It is recommended that you don’t use SHA-1 certificates past 2016 for a number of reasons:
- Google is planning to penalize sites that use SHA-1 certificates that expire during 2016 and after
- Microsoft is to retire support for SHA-1 certificates in the coming months. Sites using SHA1 will be blocked effective January 2017
- Browser vendors are shutting down support for SHA-1 digital certificates
If you are running public facing web services, then this problem may
seem obvious. However, many network devices such as printers run web
engines, so the SHA-1 issue will impact on nearly all computer networks.
The advice is to spend some time looking at the problem now, rather
than wait for user complaints in 2017.
At a minimum, we recommend the following:
- Inventory your existing certificates with LANGuardian which has SHA-1 reporting built-in. SSL inventory enables LANGuardian to run several useful checks against SSL server configurations. LANGuardian can detect the following:
- Expired certificates
- Certificates which are about to expire
- Certificates with weak signature algorithms (MD5/SHA-1)
3. Ensure new certificates and their chains are based on SHA-2.
Our blog post here offers some additional reading on this topic.
Be the first to post a reply!