The year is quickly coming to a close, and it’s that time again for IT administrators to prepare a list of tasks to complete before the new year begins. If you are one such administrator, or a webmaster managing public facing websites, here’s an important tip: if any of your websites use SHA-1 (Secure Hash Algorithm 1) SSL certificates, you should immediately migrate to SHA-2. Otherwise, your valuable customers will end up seeing bright red security errors and warnings on your website starting Jan 1, 2017!
Now before sketching out the SHA-2 migration plan, let’s spend a few moments getting (re)acquainted with Secure Socket Layer (SSL) and SHA technologies so that the migration makes sense.
SSL encryption: the gold standard for secure communication
SSL is a protocol used to transfer information securely over the internet. Websites today posses SSL certificates, a digital certificate signed by a trusted third party that both verifies the ownership and encrypts the data being transmitted, thereby providing data integrity and privacy for customers. Recently, following incidents such as the Heartbleed bug in OpenSSL, people have started second guessing SSL technology. But the real problem lies not with SSL technology itself, but with the way the encryption is handled.
Outdated SHA-1 is vulnerable to attacks
SHA, a family of cryptographic hash functions published by the National Institute of Standards and Technology (NIST), is widely used in SSL certificates to encrypt data transmission. NIST has continued to be a gatekeeper of security, and NIST’s Cybersecurity Framework has been adopted by most organizations in the private sector to prevent cyber attacks. SHA-1 is a 160-bit version of SHA published by NIST and is also the most widely used signing algorithm for SSL certificates today.
But unfortunately, an experiment conducted by a group of researchers in 2015 revealed that SHA-1 is no longer secure, and can now easily be broken by hackers. Though SHA-1 is not completely insecure yet, researchers predict that it will be in the near future. As a result, NIST has imposed a ban on SHA-1 starting January 1, 2017. It’s high time for the SHA-1 users out there to upgrade to SHA-2 , a more secure, 256-bit variant of SHA, in order to safeguard organizations from red stamps and bad reputations.
Uphill upgrade to SHA-2
If your organization deals with a large number of SSL certificates for its various domains, the task in front of you is not going to be easy. Here’s what you have to do:
Discover all the SSL certificates deployed in your organization.
Isolate the SHA-1 certificates.
Request new SHA-2 certificates from the certificate signing authorities.
Deploy the new SHA-2 certificates.
Track the newly deployed certificates for expiration to stay up to date on renewals.
Unfortunately, getting all these steps accomplished manually with no errors is daunting and time consuming.
Is there an easy way out?
With effective automation, migration is simple. The entire process becomes much less complicated if you track down all the SHA-1 certificates in your network automatically and immediately raise requests for new SHA-2 certificates. If you’re looking for assistance with this, try ManageEngine Key Manager Plus, a web-based SSL certificate and SSH key management solution. Key Manager Plus breaks the whole migration process into a set of simple tasks and helps you accomplish everything in just a few clicks.
Click here to learn how to do away with SHA-1 and upgrade to SHA-2 using Key Manager Plus!
