Surviving With SHA-1 As Browsers Update

Both businesses and users operating online want assurances that communications between them will not be intercepted by hackers, and that sensitive information will not be stolen and used for identity theft or other malicious purposes. It is for this reason that SSL/TLS (secure sockets layer/transport layer security) exists. When users see HTTPS in a web address, they know it denotes security.

Until recently, SHA-1 hashing algorithm options for SSL certificates were considered safe for use with browsers, but advances in technology have resulted in a newer, safer hashing algorithm for encryption and data transfer: SHA-256. What does this mean for businesses operating online?

Here’s what’s happening with the SHA-1 update.


What is happening with SHA-1?

As of January 2016, certificate authorities (CAs) stopped issuing SHA-1 SSL/TLS certificates, encouraging websites to upgrade to SHA-256, and following this, software application providers like Microsoft announced that they would begin warning users when SHA-1 options were in use by websites, indicating that the highest level of security was not being provided.

Microsoft Edge, Google Chrome, and Mozilla Firefox all announced plans to remove support for websites using SHA-1 early in 2017. This is, of course, intended to protect users and ensure that they understand when a website isn’t providing the highest level of security available. However, it means that business websites must now complete a SHA-1 update or risk losing browser support and online traffic.


How can I keep using SHA-1 while transitions are being made?

The SHA-1 update has proven problematic for many businesses. It may not be as simple as upgrading your SSL certificate – you might also have to undertake costly and complex upgrades to other systems and hardware in order to integrate this new technology and keep everything up and running, and this can be a real hardship.

Naturally, you want to protect your company and your customers, but the upgrade process may extend well beyond the point when browsers start issuing warnings to users. This can have a detrimental impact on your business that further exacerbates the situation.

What can you do? The good news is that you can find ways to continue supporting legacy systems and devices that require SHA-1 options while you’re in transition. Although both CAs and browsers recommend upgrading to SHA-256 as soon as possible to provide the best security and comply with industry requirements, not every business is capable of matching the CA/browser timetable, and a backup plan may be in order.


What are my options?

Your best bet is to do all you can to upgrade to SHA-256 in an expedient manner, but since browsers have already started to issue warnings related to the use of SHA-1, you need a holdover option that will allow you to continue operating SHA-1 legacy systems and devices during the transition.

There is a solution for this offered by Secure128. If you have legacy systems and devices requiring a SHA-1 SSL certificate that you need to support as you transition to SHA-256, Symantec’s Private CA certificates can provide the ongoing support you need. Find more information at: