New research from Venafi Labs shows that 21 percent of the world’s websites are still using certificates signed with the vulnerable Secure Hash Algorithm, SHA-1.
On February 23, 2017, Google affiliated security researchers announced they cracked the SHA-1 security standard using a collision attack. The incident proved that the deprecated cryptographic secure hash algorithm still used to sign many website digital certificates can be manipulated.
Newly issued certificates using the SHA-2 family of hash functions solve these problems, but Venafi Labs’ research shows that many companies have not replaced all their certificates with ones signed by SHA-2. This leaves organizations open to security breaches, compliance problems, and outages that can affect security, availability, reliability and even profits.
“The results of our most recent analysis are not surprising,” said Kevin Bocek, chief security strategist for Venafi. “Even though most organizations have worked hard to migrate away from SHA-1, they don’t have the visibility and automation necessary to complete the transition. We’ve seen this problem before when organizations had a difficult time making coordinated changes to keys and certificates in response to Heartbleed, and unfortunately I’m sure we are going to see it again.”
Web transactions and traffic may be disrupted in a variety of ways due to use of insecure SHA-1 certificates:
- Browsers will display warnings to users that the site is insecure, prompting users to look for an alternative site.
- Browsers will not display the ‘green padlock’ on the address line for HTTPS transactions; consumers rely on this icon as an indication that online transactions are secure and private.
- Sites may experience performance problems; in some cases, access to websites may be completely blocked.
In addition to the serious impact on user experience, websites that continue to use SHA-1 certificates are likely to experience a significant increase in help desk calls and a reduction in revenue from online transactions as users abandon websites due to security warnings.