• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Critical Infrastructure   »   Accelerated Deprecation Date for SHA-1 Certificates?

Accelerated Deprecation Date for SHA-1 Certificates?

  • Posted on:November 10, 2015
  • Posted in:Critical Infrastructure, Encryption, Hacks, Microsoft, Security, Web Security
  • Posted by:
    Chris Bailey (General Manager, Trend Micro SSL)
0

There is a likely acceleration date which may require you to switch all your SHA-1 certificates to SHA-2 certificates by June 1, 2016, instead of the previous deadline of December 31, 2016.

In 2013, Microsoft announced that SHA-1 certificates will have significant security problems in the following years, and therefore cannot be issued after Jan 1, 2016. Most browsers, led by Microsoft, also stated that they would stop supporting SHA-1 certificates by January 1, 2017, requiring server owners to upgrade to SHA-2 equivalent certificates before that date.  One browser, Google Chrome, is already showing a minor negative security indicator in the browser UI for SHA-1 certificates that expire in 2016 (Figure A) and insecure indicator in the browser UI for SHA-1 certificates that expire after 2016 (Figure B).

Figure A

Figure B

Most Recent Developments

You may have read that a recent academic study showed SHA-1 certificates are already vulnerable to attacks by hackers, and so the certificates are not as secure as previously thought. The press has started to pick up on this study as well.

Because of this new security risk to website owners, the major browsers are considering immediate changes to their program rules.  For example, Mozilla may deprecate SHA-1 certificates in its browser UI and applications by July 1, 2016, not year-end 2016.  Microsoft is considering an earlier emergency deprecation date of June 1, 2016.

Mozilla blog: https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/

Microsoft blog: https://blogs.windows.com/msedgedev/2015/11/04/sha-1-deprecation-update/

If these earlier deprecation dates are confirmed, any SHA-1 certificates you are using after June 1, 2016 could result in a negative security indicator in the browser UI for users visiting your web pages.  It is even possible that these browsers will require that Certification Authorities like Trend Micro revoke all SHA-1 certificates by the earlier deprecation date of June 1, 2016.

Our Strong Security Recommendation to You

Due to these developments, Trend Micro strongly recommends that you replace any remaining SHA-1 certificates used on your servers with SHA-2 certificates no later than May 31, 2016 if possible (about seven months from now).  Changing these certificates even earlier is better.

Also, after you have verified the installation of your new SHA-2 certificate we recommend that you then revoke your old SHA-1 certificate.

Before replacing a SHA-1 certificate, you should first check that your servers and system software will support SHA-2 certificates.  Here is a partial CA Security Council list from 2014 of systems that support SHA-2:

https://casecurity.org/wp-content/uploads/2014/09/SHA256-Support-List.pdf

We recognize that this recommendation may impose additional burdens on you, but we believe the improvements to your system security will be significant.

Questions

If you have any questions about this recommendation or require assistance in determining which certificates you may need to replace please contact me.

Chris Bailey’s Bio:

Chris Bailey is general manager for Trend Micro SSL at Trend Micro. Previously Bailey served as the CEO and co-founder of certification authority AffirmTrust, which was acquired by Trend Micro in 2011, and as co-founder and CTO of GeoTrust, a major world Certification Authority acquired by VeriSign in 2006. Mr. Bailey is also a founding member of both the CA/Browser Forum and the CA Security Council.

Related posts:

  1. Fake antivirus solutions increasingly have stolen code-signing certificates
  2. An Important Day in Internet History – Google including SSL use in ranking algorithm
  3. Accelerated investment may have compromised smart grid cybersecurity
  4. The Patching Problem: Best Practices for Maintaining Up-to-Date Systems

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.