The holiday shopping season is quickly approaching, and this is good reason to be concerned about Google’s recent announcement that they will be accelerating the deprecation of SHA-1 certificates. The new policy was announced on August 19.
Chrome 39 – due in less than 12 weeks – will show a warning for sites that use a SHA-1 certificate that expires in 2016. Additionally, sites with a SHA-1 certificate expiring in 2017 or later will require a click through warning. Just how serious is the problem? Well, Bruce Schneier has estimated the cost of a SHA-1 collision attack will be affordable to organized crime by 2018.
As you might imagine, this could affect smaller online stores that haven’t made the switch to SHA-2. This is part of what makes the 12 week timeline very aggressive according to some. One of the problems is that many people are still happily using Windows XP SP2 for their server – which doesn’t support SHA-2 at all. Many devices also lack SHA-2 support, which can be even more expensive if new equipment needs to be bought, installed and configured before the big shopping season starts online.
The switch from SHA-1 to SHA-2 might potentially be a problem for small and large ecommerce stores online. For the smaller companies, it can be expensive to be able to update everything needed in a short time. And for larger companies, they may have “lockdown” periods at the end of the year that make it impossible to make the transition until after January 2015. The timelines announced by Microsoft back in November 2013 would deprecate SHA-1 in code signing certificates by January 1, 2016 and in SSL certificates by January 1, 2017, which is less aggressive than what Google is wanting.
The CA Security Council has urged Google to consider the upcoming holiday season and giving webmasters a little more time to make the switch. That being said, it’s important for any website still using SHA-1 to begin the transition to SHA-2 as soon as possible – if not sooner. If you’re still using SHA-1 and are concerned about not being able to upgrade before the holiday shopping season next month, leave us a comment below and let us know your thoughts. Upgrading to SHA-2 is very important for a lot of reasons, but we’re interested in seeing how many of our readers are going to be affected by Google’s aggressive timeline for implementation.