Over a fifth (21 per cent) of websites are still using insecure SHA-1 certificates, leaving users at risk of man-in-the-middle, brute force and collision attacks which expose sensitive data, according to new research.
Venafi’s research shows there has been improvement since November 2016, at which point over a third (35 per cent) of websites were still using SHA-1.
However, there is still a long way to go to ensure online security. SHA-1 is an outdated encryption algorithm and has been known to be insecure for some time – in fact, the first warning were issued as far back as 2005.
This is why Google, Microsoft and Mozilla set deadlines in early 2017 for websites to migrate, saying they would no longer trust these sites. Since this deadline passed researchers working with Google have already demonstrated a successful collision attack on the algorithm, exposing it as more vulnerable than ever. Companies need greater urgency if they are to protect their online users.
On February 23, 2017, Google affiliated security researchers announced they cracked the SHA-1 security standard using a collision attack. The incident proved that the deprecated cryptographic secure hash algorithm still used to sign many website digital certificates can be manipulated.
Newly issued certificates using the SHA-2 family of hash functions solve these problems, but Venafi Labs’ research shows that many companies have not replaced all their certificates with ones signed by SHA-2. This leaves organizations open to security breaches, compliance problems, and outages that can affect security, availability, reliability and even profits.
“The results of our most recent analysis are not surprising,” said Kevin Bocek, chief security strategist for Venafi. “Even though most organizations have worked hard to migrate away from SHA-1, they don’t have the visibility and automation necessary to complete the transition. We’ve seen this problem before when organizations had a difficult time making coordinated changes to keys and certificates in response to Heartbleed, and unfortunately I’m sure we are going to see it again.”
Web transactions and traffic may be disrupted in a variety of ways due to use of insecure SHA-1 certificates:
• Browsers will display warnings to users that the site is insecure, prompting users to look for an alternative site.
• Browsers will not display the ‘green padlock’ on the address line for HTTPS transactions; consumers rely on this icon as an indication that online transactions are secure and private.
• Sites may experience performance problems; in some cases, access to websites may be completely blocked.
In addition to the serious impact on user experience, websites that continue to use SHA-1 certificates are likely to experience a significant increase in help desk calls and a reduction in revenue from online transactions as users abandon websites due to security warnings.
Encryption is required for private and secure communications and transactions. Digital certificates are used to identify and authenticate machines and establish encrypted sessions between users and websites. Digital certificates also verify that the website to which the user is connecting is legitimate and all web browsers use certificates to determine what can and can’t be trusted during online transactions. This is particularly critical in transactions that include sensitive data such as eCommerce and online banking.
In February 2017, the Venafi Labs research team analyzed data on over 33 million publicly visible IPv4 websites using Venafi TrustNet™, a proprietary database and real-time certificate intelligence service. This research discovered that over 1 in 5 certificates for unique IP addresses are still using SHA-1 as the signature hash algorithm.