zvelo Urges Partners (and everyone) to Update their SSL Certificates to SHA-2
After December 31, 2015, SSL certificates that use the SHA-1 hash algorithm for their signature will be declared “technology non grata” on the modern Internet. It’s important to note that this is an industry-wide change and not specific to just zvelo’s products. As a result, beginning January 1, 2016, all partners (and everyone in general) will need to support SHA-2 SSL signed certificates in order to download updates and patches for all of zvelo’s offerings.
So, What’s the Big Deal?
Some companies still need to bring their SSL Certificates into full SHA-2 compliance. By not updating to the new SHA-2 standards certificate warnings and errors will be shown to customers in their browsers. This will likely damage confidence in a companies brand, teaches poor practice to Joe Public and may expose clients to man in the middle attacks.
Globally, SHA-2 is supported by at least 98.31% of browsers. So, while cutting 1.69% off the encrypted Internet may not seem like a lot, it represents over 37 million people. (That’s the equivalent of the population of California not having access to encryption unless they upgrade their devices.) And, as SHA-2 only certificates proliferate, if these users on SHA-1-only browsers try and access an encrypted site, they’ll see an error page that completely blocks their access.
This change is a result of the Microsoft Root Certificate Policy in which Microsoft has announced the deprecation of SHA-1 and has imposed the following requirements:
Certificate Authorities (CAs) must stop issuing new SHA-1 SSL signing end entities by January 1, 2016. Learn more here: https://technet.microsoft.com/library/security/2880823
SSL Certificate vendors such as GoDaddy, Symantec and DigiCert, among most others, will be following this requirement so when SSL certificate owners start to renew their certs this year and in the coming years, the only option to choose from will be a SHA-2 signed certificate. Currently, most SSL vendors are defaulting or recommending that any new or renewals of SSL certs are signed with SHA-2.
Is This a New Thing?
No. The SHA-2 hashing algorithm was introduced by NIST (National Institute of Science and Technology) in 2001, however wide adoption didn’t occur until 2009, even though the first weakness in SHA-1 was found in 2005. Since the first weakness was found, several other researchers have found ways to improve the speed to decipher SHA-1 which, by 2011, forced NIST to make the official announcement to no longer use SHA-1. Since 2008, most browsers had support for SSL SHA-2 however open source software such as OpenSSL was not fully supported until 2010.
What’s Next if You’re a zvelo Partner?
zvelo advises all partners who have not ensured their SSL compliance to immediately make the transition. It is vital to use the appropriate tools, libraries, etc. that support SHA-2 beginning January 1, 2016. It’s also important to note that it will become more feasible over time for SHA-2 to be decrypted as well. So during the planning and transition process, zvelo recommends that all partners incorporate a strategy to mitigate this upcoming risk ensuring that the process to update software easily to adapts to an ever-changing web environment.
Bottom line: if you’re a zvelo partner, ensure the mechanisms used to download zvelo updates and patches, using our secured zveloNET® cloud servers, support the SHA-2 family and are capable of handling SHA-2 SSL signed certificates.