There is a likely acceleration date which may require you to switch all your SHA-1 certificates to SHA-2 certificates by June 1, 2016, instead of the previous deadline of December 31, 2016.
In 2013, Microsoft announced that SHA-1 certificates will have significant security problems in the following years, and therefore cannot be issued after Jan 1, 2016. Most browsers, led by Microsoft, also stated that they would stop supporting SHA-1 certificates by January 1, 2017, requiring server owners to upgrade to SHA-2 equivalent certificates before that date. One browser, Google Chrome, is already showing a minor negative security indicator in the browser UI for SHA-1 certificates that expire in 2016 (Figure A) and insecure indicator in the browser UI for SHA-1 certificates that expire after 2016 (Figure B).
Figure A
Figure B
Most Recent Developments
You may have read that a recent academic study showed SHA-1 certificates are already vulnerable to attacks by hackers, and so the certificates are not as secure as previously thought. The press has started to pick up on this study as well.
Because of this new security risk to website owners, the major browsers are considering immediate changes to their program rules. For example, Mozilla may deprecate SHA-1 certificates in its browser UI and applications by July 1, 2016, not year-end 2016. Microsoft is considering an earlier emergency deprecation date of June 1, 2016.
Mozilla blog: https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/
Microsoft blog: https://blogs.windows.com/msedgedev/2015/11/04/sha-1-deprecation-update/
If these earlier deprecation dates are confirmed, any SHA-1 certificates you are using after June 1, 2016 could result in a negative security indicator in the browser UI for users visiting your web pages. It is even possible that these browsers will require that Certification Authorities like Trend Micro revoke all SHA-1 certificates by the earlier deprecation date of June 1, 2016.
Our Strong Security Recommendation to You
Due to these developments, Trend Micro strongly recommends that you replace any remaining SHA-1 certificates used on your servers with SHA-2 certificates no later than May 31, 2016 if possible (about seven months from now). Changing these certificates even earlier is better.
Also, after you have verified the installation of your new SHA-2 certificate we recommend that you then revoke your old SHA-1 certificate.
Before replacing a SHA-1 certificate, you should first check that your servers and system software will support SHA-2 certificates. Here is a partial CA Security Council list from 2014 of systems that support SHA-2:
https://casecurity.org/wp-content/uploads/2014/09/SHA256-Support-List.pdf
We recognize that this recommendation may impose additional burdens on you, but we believe the improvements to your system security will be significant.
Questions
If you have any questions about this recommendation or require assistance in determining which certificates you may need to replace please contact me.
Chris Bailey’s Bio:
Chris Bailey is general manager for Trend Micro SSL at Trend Micro. Previously Bailey served as the CEO and co-founder of certification authority AffirmTrust, which was acquired by Trend Micro in 2011, and as co-founder and CTO of GeoTrust, a major world Certification Authority acquired by VeriSign in 2006. Mr. Bailey is also a founding member of both the CA/Browser Forum and the CA Security Council.
