Essent Directs Customers with Websites to Update SSL Certificates Using SHA1 Encryption to SHA256

Note

You should bring this Support Notice to the attention of your Information Technology (IT) department or webmaster.

Background

Secure website communications — necessary for sensitive, private transactions like ecommerce that collect payment card information and personally identifiable information (PII) — are possible through HTTPS, which requires SSL (Secure Socket Layer) Certificates to encrypt and decrypt information transmitted over the Internet. Like everything in life, nothing is 100% perfect. With encryption algorithms this translates into vulnerabilities. Some are major where it is very easy for an experienced person to break the encryption and read the information. Some are minor in that the conditions that give rise to the vulnerabilities are rare (you just have to have the right combination for it to be a problem), it’s really difficult process to perform (you have to have lots of time and equipment to break the encryption), no one has figured out how to do it (experts theoretically know there is a weakness but no one has figured out how to do it, or it just doesn’t impact that many people in practice (because not many people are using the vulnerable technology).

Problem

SHA1 is a very popular 160-bit encryption hashing function that has a minor vulnerability. The weakness was identified in 1999 by a group of cryptographers that were able to crack the algorithm. The results were duplicated by another set of cryptographers. The calculations necessary to break the algorithm took almost 5 years. In 2005 there were discussions about retiring SHA1 but no major concern or impetus to do so. In 2012 cryptographers illustrated that it was feasible to crack SHA1 with expensive equipment. In November 2013 Microsoft announced they deprecate SHA1 certificates starting in 2013 and stop accepting them as of January 1, 2016. In September 2014 Google announced they would sunset SHA1 starting in November 2014 and cease accepting them as of January 1, 2017.

In the Google Chrome browser version 39, Google decided that for Chrome:

"HTTPS sites whose certificate chains use SHA1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome’s user interface.”

In other words, that even though it’s before 2017, if the certificate is valid beyond January 1, 2017, Google will consider it untrustworthy. A certificate that uses SHA1 but expires December 31, 2016 will still be considered trustworthy even though nothing encryption-wise has changed. An odd behavior but one with significant consequences.

Effective with Chrome 39, HTTPS pages for websites that use SHA1 SSL Certificates will be marked as insecure. The consequence to website owners is that even though you are using SHA1 and is still supported until 2016 and 2017, respectively, as stated by Microsoft and Google policy, SHA1 must now be considered obsolete and unsupported because of what Google Chrome reports to website visitors.

The webpage is not insecure, but Google reports such, effectively making it untrustworthy in the eyes of the visitor.

Corrective Action

Essent directs customers with a website, and in particular Essent SiteBuilder customers, utilizing SSL Certificates using the SHA1 encryption algorithm to immediately update their certificate with an SSL Certificate based on SHA256 or greater as dictated by the capabilities of their webserver and their customer base.

  • Inventory your existing certificates to verify if  you use SHA1
    • Visit your website.
    • Go to a secure page (HTTPS protocol).
    • Click on the Lock Icon either in the address textbox or on the menu bar depending on your browser.
    • Take note if the Signature Hash Algorithm is SHA1
    • Repeat process for each website or domain name.
  • For websites that use SSL Certificates based on SHA1, contact your website administrator to upgrade.
    • If you purchase your own certificate, contact your certificate issuer.
    • If you need a Certificate Signing Request (CSR), contact your provider. For Essent SiteBuilder customers contact Essent Systems Integration.
    • Once the certificate is issued, contact your provider to schedule implementation.

Footnote

Why not update certificates the minute Microsoft and Google announced? Certificates cost money and in some cases certificate authorities charge for the updated certificate. There was no need to update them early because it would potentially be a waste of time to have to upgrade outside of the normal upgrade cycle and waste of money to issue new certificates while the old certificate was still supported. Another big reason is the visitor. Not all browsers support the higher encryption bit-rates. In particular, Windows XP and Internet Explorer 6.0, two very popular packages, were in use by hundreds of millions of users worldwide; their experience would have been impacted by a premature upgrade to SHA256. Even after Microsoft informing Windows XP users about the end of life years in advance, 26 percent of users were still using the operating system after the April 8, 2014 deadline. With the decline of Windows XP and IE6 since that time coupled with the behavior of Google Chrome 39 and its strong market utilization, the retirement of SHA1 and adoption of SHA256 is effectively mandated by Google in advance of the deadline.

References

https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html

https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know

https://technet.microsoft.com/en-us/library/security/2880823.aspx

http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-SHA1.html

https://support.globalsign.com/customer/portal/articles/1499561-SHA256-compatibility

https://blog.malwarebytes.org/online-security/2015/01/the-state-of-windows-xp-in-numbers/


Share This:
FacebookRedditSlashdotDZoneNetvouzTwitThisLinkedInDiigo