Those websites still running SHA-1 certificates instead of the more secure SHA-2 are leaving themselves and their customers open to security breaches, compliance problems and outages that can affect data protection, availability and reliability, Venafi said. Those sites running SHA-1 will no longer display the green padlock indicating a secure website.
Even profits can be affected, as users who are struggling with the usability of the website or are scared away by security warnings are far more likely to abandon the website and seek an alternative. Using SHA-1 could render some sites completely unavailable depending on security settings. Venafi also said that use of SHA-1 could increase help desk calls, as frustrated users who cannot access the site will contact customer services.
“The results of our most recent analysis are not surprising,” said Kevin Bocek, chief security strategist for Venafi. “Even though most organizations have worked hard to migrate away from SHA-1, they don’t have the visibility and automation necessary to complete the transition. We’ve seen this problem before when organizations had a difficult time making coordinated changes to keys and certificates in response to Heartbleed, and unfortunately I’m sure we are going to see it again.”
Even before
Google’s cracking of the SHA-1 standard via a collision attack, the industry was moving away from it.
Microsoft declared in November 2016 that it was no longer secure and support for websites running it would end in mid-2017. Mozilla, maker of the Firefox browser,
said the same thing a month earlier. Google said as
early as 2014 that it would phase out use of SHA-1.
Venafi conducted its test in February 2017, analyzing 33 million publicly visible IPv4 websites using certificate intelligence service Venafi TrustNet. Over one in five certificates for unique IP addresses were using SHA-1 at the time of the test.
