The SHA-1 SSL Battle Has Begun
I clicked on a link this morning to download a Ponemon Institute report this morning and got this big red X in my browser (click to enlarge in a new tab):
The link went to an IBM site (IBM sponsored Ponemon’s report), so this is not a small obscure company who does not know better.
Looking at the detail of the error message, here is what you see (click to enlarge graphic in a new tab):
Basically, Chrome has already started its battle against the SHA-1 hashing algorithm. The error messages say that the site uses a SHA-1 SSL certificate that expires after December 31, 2016 and as a result it is encrypted using an obsolete cipher suite.
While I have seen numbers that say that Chrome is 25% of browser use and others that say it is 65% of browser use, it is a major player and therefore no company wants to lose Chrome browser users.
Some users, when they see the big red X, are likely to close the browser or leave the site.
From a web site owner’s perspective, now is the time to replace SHA-1 SSL certificates, especially those that expire after the end of this year. It is easy to tell if your site is using one of those – just go to your site in Chrome and see if you get a big red X.
Come the middle of this year, the browser makers are going to increase the pressure by making users click on a message that says that the user understands that the security of your company’s SHA-1 web site is weak and you (the customer) should not go there.
Curiously, I was going there to look at a report on application security. I guess application security is not the only report that I got.