The Case for Making the Move from SHA-1 to SHA-2 Certificates

Good security is a combination of building layers and staying one step ahead of would-be attackers.

Mozilla recently announced that Firefox might end trust for SHA-1 Certificates six months sooner than the current SHA-1 deprecation timeline. This announcement came shortly after a research team expressed concerns about a theoretical risk associated with the SHA-1 hashing algorithm, and urged IT admins to replace their SHA-1 Certificates with SHA-2 sooner, rather than later.

A portion of the Internet community that has already transitioned away from SHA-1 to SHA-2 Certificates is glad that this was something they didn’t need to worry about in their own security landscape. But those still using SHA-1 Certificates must now reassess and finalize when to make the move to SHA-2. The longer the wait, the increased chance for a lapse in security.

Experts Worried about Repeat Mistakes

One of the reasons that Mozilla and other browsers may be pushing the transition from SHA-1 to SHA-2 is because of the inherent “If it ain’t broke, don’t fix it” mentality. Change requires work and can be difficult. For example, the number of SHA-1 Certificates in your security landscape, the cost of making the transition (labor, time, cost of new certificates or replacing certificates, etc.), and whether or not your hardware, operating systems, clients, and custom application codes support SHA-2, may make the transition harder and be reasons for dragging feet.

Security pros will remember the MD5 hashing algorithm days and how hard it was to transition the Internet (as a group) from one hashing algorithm to another. Despite a discovered theoretical weakness and timely and repeated encouragement to transition from MD5 to SHA-1 Certificates, the Internet community was slow to make a move. It wasn’t until a group of researchers found that MD5 collisions were now practical that IT admins were forced to make a frantic switch to SHA-1.

Switch to SHA-2 Now

In 2005, a theoretical weakness was discovered in SHA-1. In October 2015, another theoretical weakness—the freestart collision—was discovered in SHA-1. It is only a matter of time before the theoretical becomes practical. So, why wait? If you abide by proactive best security practices, it is advantageous to make the switch to SHA-2 now.

Browsers have set dates for when they will stop trusting SHA-1 Certificates, which range from six months to one year from now. There is still time to plan and make a scheduled move from SHA-1 to SHA-2 Certificates. But why wait until your hand is forced? The move is meant to strengthen your security landscape and Internet community as a whole.

Keep your layers strong, including certificates and endpoints. Stay one step ahead and migrate to SHA-2 Certificates as soon as possible.

For more information about making the transition from SHA-1 to SHA-2, see Switching to SHA-2.