The death knell for security standard SHA-1 has been sounding for a number of years now, and Google’s cracking of it in February turned the volume up even higher. Despite this, it seems many websites aren’t yet ready to say goodbye.
New research from Venafi has revealed that 21% of websites they tested are still using SHA-1 certificates. This figure is down from the 36% they discovered in November 2016, but there is still a long way to go to ensure a safer online experience.
Those websites still running SHA-1 certificates instead of the more secure SHA-2 are leaving themselves and their customers open to security breaches, compliance problems and outages that can affect data protection, availability and reliability, Venafi said. Those sites running SHA-1 will no longer display the green padlock indicating a secure website.
Even profits can be affected, as users who are struggling with the usability of the website or are scared away by security warnings are far more likely to abandon the website and seek an alternative. Using SHA-1 could render some sites completely unavailable depending on security settings. Venafi also said that use of SHA-1 could increase help desk calls, as frustrated users who cannot access the site will contact customer services.
“The results of our most recent analysis are not surprising,” said Kevin Bocek, chief security strategist for Venafi. “Even though most organizations have worked hard to migrate away from SHA-1, they don’t have the visibility and automation necessary to complete the transition. We’ve seen this problem before when organizations had a difficult time making coordinated changes to keys and certificates in response to Heartbleed, and unfortunately I’m sure we are going to see it again.”
Even before Google’s cracking of the SHA-1 standard via a collision attack, the industry was moving away from it. Microsoft declared in November 2016 that it was no longer secure and support for websites running it would end in mid-2017. Mozilla, maker of the Firefox browser, said the same thing a month earlier. Google said as early as 2014 that it would phase out use of SHA-1.
Venafi conducted its test in February 2017, analyzing 33 million publicly visible IPv4 websites using certificate intelligence service Venafi TrustNet. Over one in five certificates for unique IP addresses were using SHA-1 at the time of the test.