NCSAM Tip of the Week: Look for SHA-1 Browser Warnings

It’s October, which means that it’s time for National Cyber Security Awareness Month (NCSAM) again! To do our part and help promote cyber security awareness, DigiCert will be posting security tips every day as well as a blog post once a week in coordination with that week’s theme. To see our daily security tips, follow us on Facebook, Google+, and Twitter.

Stop. Think. Connect.

This week’s theme for the NCSAM is “Stop. Think. Connect.” In a busy, click-happy world people tend to ignore popups and warnings in favor of getting where they want to go. This might be okay if you’re ignoring yet another annoying ad. However, this becomes a problem when people get so used to closing messages that they ignore legitimate security warnings.

Only 15% of websites use SHA-2 certificates; which means that with Google and Mozilla’s announcements that they will begin to show security warnings for sites secured with SHA-1 certificates, the amount of security warnings that we have to watch for is only about to increase.

However, this is not a warning message that users should ignore. Network security experts have warned that SSL Certificates using the SHA-1 hashing algorithm are in danger of being hacked due to advancements in computing technology and a research team from China identified a collision-resistance property weakness in SHA-1 in 2005. Because of these security concerns, the industry has been shifting toward SHA-2 over the last few years. However, with the sophistication of attacks and available computing power advancing rapidly, sites should be moving to SHA-2 as quickly as possible.

So, when you’re going to a website and you stop to think, be sure to look for these SHA-1 security warnings in addition to other warning messages in your browser before connecting.

Google Chrome Warning Messages for SHA-1 Certificates

Google Chrome will begin showing security warnings for all future versions, starting with version 39. The warning that is shown depends on the expiration of the certificate.

Mozilla Firefox Warning Messages for SHA-1 Certificates

Mozilla is adding a security warning to the developer Web Console in early 2015 for all SHA-1 certificates. This warning will be more prominent if the SHA-1 certificate expires after January 1, 2017.

Mozilla also plans to add warnings to the Firefox browser in the future. In 2016, Firefox will begin to show an “Untrusted Connection” error when a newly issued SHA-1 certificate is encountered and in 2017 Firefox will show an “Untrusted Connection” error whenever a SHA-1 certificate is encountered.

A Word to Admins

With the rising awareness of the need to be safe online, users are becoming more cautious about the sites they visit and where they enter their information. Technical and even not-so-technical users are put off by and sometimes don’t come back to sites with security warnings. To avoid damage to your website and brand, we recommend switching over to SHA-2 as soon as possible.

Posted in 101, National Cyber Security Awareness Month, News, Security