Announcements & Articles
Stay informed about the Acmetek Announcements & Articles and more.

Google Chrome to Mark All HTTP Sites as ‘Not Secure’ from July 2018

Google Chrome Will Mark HTTP Sites ‘Not Secure’ from July 2018 with the Release of Chrome 68

New Highlights:

  • Google Chrome will start labelling all Non HTTP sites as “Not Secure”
  • The change will come with the Chrome 68 release in July 2018
  • Google’s Lighthouse tool, an open source app, helps developers run audits on web pages

For the past several years, Google strongly advising webmasters (sites) to adopting HTTPS encryption. Google said that within the last year, they helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”.

As a part of this plan Google first rolled out with Chrome 58 when Google marked all HTTP pages as “Not Secure” if the web pages having password or payment credit card fields and the second stage with Chrome 62 version when Google marked all HTTP website pages opened in a private browsing windows as “Not Secure” and beginning in July 2018 with Chrome 68 release will mark all HTTP sites as “not secure” is the final stage.

 

 

In a recent announcement, Google has confirmed that when users visit every HTTP websites on Chrome they will be flagged as “Not Secure” from July 2018 with the release of Chrome 68.

 

In Chrome 68, the omnibox will display “Not secure” for all HTTP pages.

 

Developers have clearly heard the call, according to Google, the results of the efforts have been:

  • Over 68% of Chrome traffic on both Android and Windows is now protected
  • Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
  • 81 of the top 100 sites on the web use HTTPS by default

So it’s clear that HTTPS is the wave of the future when it comes to internet security.

Google Lighthouse Tool

Google itself has a Lighthouse tool is an open-source, automated tool for improving the quality of web pages. Google encourage websites to use HTTPS with its automated Lighthouse developer tool and other set-up guides to transition over.

Take a Strategic Decision to Buying a Right SSL Certificate

Focus on choosing the right SSL Certificate for your business need. Before buying an SSL Certificate, you need to understand specific requirements to secure websites such as to protect Single Domain, Multiple Sub-Domains or Different websites. Move your website from HTTP to HTTPS with an SSL Certificate today!
If you want to know more how to protect your website and safeguard customer’s data? Please complete the form below to get more assistance from an Acmetek trusted security specialist advisor today!

Symantec/Digicert- Google Reissue

You May Have to Reissue your Certificate!!

Since announcing the acquisition, DigiCert has actively engaged with the security community to explore paths that address browser concerns about Symantec/Geotrust/Thawte/Rapidssl-issued certificates while balancing the SSL/TLS implementations currently deployed. 

Symantec-issued certificates impacted by browser timelines will need to be replaced to bring them under the new Digicert platform. These will be replaced at no cost to all certificates issued prior to December 1st 2017, and Digicert will work to ensure a smooth process. Many customers have already received information on certificate replacement, and more information will be forthcoming for affected parties.

Acmetek is currently working on a smooth transition for their clients and will be notified if they have an effected cert by this transition in the next couple of months. 

Things to know:

  • This reissue only pertains to SSL Certificates where clients access websites/applications via Chrome. 
  • If your clients are not using Chrome you do NOT need to perform the reissue. 
  • Symantec/Geotrust/Thawte/Rapid SSL Certificates Issued Prior to December 1st 2017 will have to be reissued into the new chain hierarchy under the Digicert umbrella. 
  • All Certificates Issued after December 1st 2017 will automatically be placed under the Digicert umbrella new chain hierarchy. 
  • All Certificates Renewed after December 1st 2017 will automatically be put under this new chain hierarchy. 
  • These Reissues will allow your certificates to be trusted by all versions of Chrome.
  • Symantec Roots are NOT being removed.
  • This does not effect code signing or other non SSL products.
  • Newly issued 3 year certificates issued before Dec.1st and during 2017 must be reissued/renewed before Feb 1st 2018.
  • Max Deadline to have all certificates reissued, or renewed is August 1st 2018. Some Reissues may need to be re-authenticated depending on when the certificate was last issued.

Authentication Things to Know:

  • Digicert has a more robust, modern, and quick Authentication platform. Please review Digicert’s Certificate Validation Process to know more. 
  • Initially, The biggest hold-ups that customers can control are:
    • DCV (Domain Confirmation Verification) for security the verification goes to the domain admin, not the cert admin.
    • The verification call (making sure someone is aware at the main number that there will be a verification call within the next 24 hours)
    • Having you provide the correct legally registered name for the organization to avoid Digicert having to ask for it later.
    • After initial Authentication has been processed…as long as the contact and organization info is the exact same.. Digicert will streamline the processing for future orders or Reissues. 
If you already know your Symantec/Geotrust/Thawte/RapidSSL Issued SSL Certificate is effected you simply need to perform a free reissue of your current certificate order. Acmetek client’s will see a notification and eventually receive a communication on how to perform the reissue their SSL Partner Center.

DigiCert Completes Acquisition of Symantec’s Website Security and Related PKI Solutions

Digicert Acquired Symantec

DigiCert acquired Symantec under the terms of the agreement, $950 million acquisition of Symantec Website Security and PKI solutions related to SSL/TLS certificates business received in upfront cash proceeds and approximately 30% stake in the common stock equity of DigiCert.

DigiCert completes acquisition of Symantec’s certificate authority business on 31st October. The deal to acquire Symantec’s Website Security and Related PKI Solutions was first announced on August 3rd. DigiCert is a leading provider of scalable identity and encryption solutions.

Speaking on this occasion DigiCert CEO John Merrill said, “Today starts an exciting era for the current customers and partners of both Symantec and DigiCert, For Symantec customers, they can feel assured that they will have continuity in their website security and that we will provide a smooth transition. Our customers and partners will benefit from our accelerated investment in products and solutions for SSL, PKI, and IoT. DigiCert will also lead to shape PKI security standards through our participation in industry standards bodies to ensure our customers stay at the forefront of security practices. DigiCert is prepared for this opportunity.”

“The addition of Symantec Web PKI solutions to DigiCert will provide a customer experience that is second to none. We are excited for Symantec customers to benefit from solutions that help advance and strengthen website security,” said Greg Clark, Symantec CEO. “We expect Symantec and DigiCert customers to benefit from focused investment in the next generation of security solutions for our respective customers, and today’s action helps advance this important objective”

This acquisition will bring together the best minds in the industry and provide customers a reinforced technology platform, unparalleled customer support, and cutting-edge innovations. DigiCert will continue its operations from its headquarters at Lehi, Utah with a combined strength of around 1,000 professionals.

What Symantec Customers Can Expect

DigiCert has a strong reputation in the industry for being fast, reliable and excellent customer support. Symantec customers can experience this DigiCert’s service in addition to industry-leading OCSP response times, and award-winning PKI and IoT management platforms.

DigiCert’s platform is highly scalable and is designed for high-volume deployments for SSL and IoT and stress tested for billions of certificates. DigiCert will be able to continue providing industry-leading issuance times, even with the added Symantec Website Security business.

What DigiCert Customers Can Expect

The addition of Symantec’s Website Security to DigiCert brings together the best talent in the industry which will further the efforts to reinforce the SSL, PKI, and IoT based solutions.

Since announcement to acquire Symantec Website Security in the month of August 2017, DigiCert has focused to work on fixing the browser requirements for Symantec issued certificates and plans to replace with affected certificates for free and without disturbing to ongoing customer business in order to ensure continued trust.

“DigiCert is well positioned for this opportunity,” said Jody Cloutier, former senior program manager, Microsoft Cryptographic Ecosystem. “During my time at Microsoft managing the root store program, I always found DigiCert to be committed to advancing online trust. I expect that this acquisition will lead to increasing investments in new platforms and products that will benefit customers.”

DigiCert look forward to building a big security company and supporting all of Symantec’s Website Security and PKI solutions and their customers well into the future.

What Acmetek Can Offer Its Customers & Partners?

Acmetek will be able to offer an even wider range of solutions from both Symantec and DigiCert. Current Symantec customers can continue to order and purchase certificates the same way they always have. In addition, they can still use existing Symantec management tools. Account management contacts, existing contracts, brands, and validity periods for certificates will remain the same, as does pricing as off now.

We are worked up about bringing together the best of what Symantec has to offer with DigiCert. Acmetek partners and customers are having amazing opportunities in terms of various advanced security solutions. With this acquisition is the best situation for all parties like DigiCert, Symantec clients, partners, and resellers. The SSL and PKI solutions platform have a great bright future with a new responsible leader in the website security industry.

We’ll keep on updating to our customers and partners for transmitting updates with regular communication for further questions. Acmetek has dedicated support team is standing by around-the-clock, ready to assist you with any questions or concerns you may have. Do you want to buy an SSL Certificates at low cost? Simply you can click on request a quote form to submit your requirements.

For the latest Acmetek news and updates, visit www.acmetek.com/announcements/ or follow us on Facebook @Acmetek and Twitter @Acmetek

CA/Browser Forum Passes Ballot 193 – 825 day Certificate Lifetimes

The Certificate Authority Browser Forum, Also known as CA/Browser Forum, is a voluntary consortium of Certificate Authorities such as Symantec, Digicert, Comodo, and tech Operating System makers such as Apple, Mozilla, Microsoft, etc.. decide the fate of security on the internet. The CA/Browser Forum purpose is to be proactive, and keep the internet secure for users and businesses all over the world.

The CA/Browser Forum recently passed Ballot 193 will effect all Certificate Authorities and those who manage SSL/ TLS Certificates. Effective almost immediately (April 22, 2017).

  • Effective April 22, 2017
    Reduces the length of time that authenticate information can be re-used to authenticate subsequent certificate, from 39 months (3 years 2 months) to 27 months (825 days / 2 years) New, Renewal and Replacement certificates will be subject to this change. This seems a little abrupt and might be changed in order for the CA’s to prepare for this new standard but should not effect the majority of clients while this transition is taking place.
  • Effective March 1, 2018
    Decreases the maximum validity period of SSL/TLS Certificate to 27 months (825 days). Eventually there will be no more three year option. No certificate after this date can have a validity passed 27 months.

Things to know:

Authentication:

  • Existing certificates:
    • Are not effected. The authentication work is already complete and no action is necessary.
  • Reissue (replacement) of your SSL Certificate:
    • DV (Domain Validated Certificates) –
      DV certificate reissues such a Quick SSL or Rapid SSL Products currently undergo domain validation; this there is no impact to DV certificate reissues. Reissued 3rd certificates after March 1 2018
    • OV (Organization Validation) –
      Some OV reissues for products like True ID or Secure Site may not instantly issue in the event that the authenticated data used to approve the original certificate is older than 825 days or is otherwise no longer valid. In some cases, reissues will undergo authentication, though many reissue will continue to be instantly issued. Typically 3 year certificate may be effected by this revalidation and not get automatically reissued.
    • EV (Extended Validation) –
      EV reissues are not impacted due to their already 2 year 825 validity day nature.
  • Renewal certificates:
    • Certificate renewal will continue to leverage existing authentication and automation whenever possible, and in many cases will be quickly approved.
    • With the shorter validity of authentication data (27 months), renewals will require more frequent authentications.
    • With the shorter validity period network admins will have visit their server & networks more frequently for CSR generation and SSL installation.

Technical:

  • Reissues/Replacements:
    • Since the technical validity of a certificate after the date of March 1, 2018 can only have a 27 month / 825 day lifespan if for whatever reason a reissue is needed the certificate may have time removed from their certificate.
      Example: If an Admin gets a new/renewed 3 year certificate on February 29th 2018 and needs to perform a reissue due to a technical matter we could see a certificate cut to 27 months instead of 37 months.
      Note: Due to this technicality Acmetek will be proactive and will put a stop to 3 year certificate enrollments to closer the deadline approaches to prevent this scenario the best we can.

To keep up with the progress of technology the CA/Browser Forum is always coming up with new industry standards. These standards guide and move the internet to a more safer and secure environment for its users. Information regarding the CA/B Forum on is always made publically available at cabforum.org


Lead Tech Engineer, Acmetek
Dominic Rafael

Symantec Says Enough is Enough!

Firstly, key note is that Certificates today require no action – there is no security issue nor any issues with issuance !! Google’s unilateral changes to the Chrome browser do not require any action immediately. Enough is Enough.

On behalf of Symantec, we want you to note that Symantec is proud to be one of the world’s leading certificate authorities. Symantec strongly objects to the action Google has taken to target Symantec SSL/TLS certificates in the Chrome browser. This action was certainly unexpected, and Symantec believes the blog post was irresponsible! Symantec hopes that this was not calculated to create uncertainty and doubt within the Internet community about our SSL/TLS certificates.

Google’s statements about Symantec’s  issuance practices and the scope of Symantec’s  past mis-issuances is exaggerated and misleading. For example..

  • Google’s claim that Symantec has mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm as they were for test purposes .
  • While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google of recent has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs.

Symantec has taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program. This control enhancement is an important move that other public certificate authorities (CAs) have not yet followed.

Symantec operates our CA in accordance with industry standards and maintains extensive controls over our SSL/TLS certificate issuance processes and Symantec works to continually strengthen their CA practices. Symantec has substantially invested in, and remain committed to, the security of the Internet.  Symantec has publicly and strongly committed to Certificate Transparency (CT) logging for Symantec certificates and is one of the few CAs that hosts its own CT servers.  Symantec has also been a champion of Certification Authority Authorization (CAA), and has asked the CA/Browser Forum for a rule change to require that all certificate authorities explicitly support CAA. Symantec’s most recent contribution to the CA ecosystem includes the creation of Encryption Everywhere, our freemium program, to create widespread adoption of encrypted websites.

Note that Symantec wants to reassure their customers and all consumers that they can continue to trust Symantec SSL/TLS certificates.

Symantec will continue to vigorously defend the safe and productive use of the Internet, including minimizing any potential disruption caused by the proposal in Google’s blog post. Symantec is currently open to discussing the matter with Google in an effort to resolve the situation in the shared interests of our joint customers and partners.

“We suggest and strongly recommend that you continue as normal with your procurement of Symantec SSL Certificates as we are working to clarify Google’s statement. You can expect an update soon once we assess if changes are necessary.”

–  Lead Engineer – Encryption , Acmetek Global Solutions, Kevin S Naidoo

Acmetek’s Platinum Partnerships With Symantec & Thawte Brings You A Free SAN With Purchase of Your SSL

Acmetek’s Platinum Partnership with the worlds leading Certificate Authorities (CA’s) Symantec and Thawte are able to bring to Acmetek Clients a Free domain SAN with the enrollment
of an SSL/TLS Certificate.

 

This means your website will work when your clients visit your website by either www or without. No more forwarding of website traffic or paying extra for an extra Subject Alternative Name (SAN) domain. Something that should automatically come by default. Many CA’s the world over do not provide this functionality to their clients which causes a technical nightmare to web developers, and Network administrators. But Acmetek is able to provide you with a simpler solution.

Here is how it works:

  1. When enrolling for a standard Symantec or Thawte SSL product with a Certificate Signing Request (CSR) Common Name of www.domain.com (example) Symantec/Thawte will automatically add the base domain of domain.com as a free SAN to the certificate.
  2. If the Common Name of the CSR has only domain.com then Symantec/Thawte will automatically add www to the Certificate.
  3. For Wildcard Certificates products, when your CSR has the Required Common Name of *.domain.com, Symantec/Thawte will add the base domain of domain.com as a free SAN.

Products benefiting from free SAN from this change:

Symantec                            Thawte
Secure Site Pro with EV SSL Web Server with EV
Secure Site with EV SGC SuperCerts
Secure Site Pro SSL Web Server Wildcard
Secure Site Wildcard SSL Web Server
Secure Site SSL123

SSL/TLS Certificates are the first step in maintaining a secure website or network for your business. Symantec product especially contain the right tools along with with their Products to give you an overall security soltuion. Read more about Symantec and Thawte website security solutions on our site!

Symantec

Thawte

Acmetek is always brings the best security solutions to fit our clients needs. Our partnerships and tools are dedicated to providing easy solutions in website security.


Lead Engineer: Dominic Rafael
dsrafael@acmetek.com

New Requirements Announced For Code Signing Certificates Industry Wide

We want to inform you about new industry requirements that were announced by the Certificate Authority Security Council (CASC) for Code Signing certificates on 8th December 2016 and that comes into effect on the 1st of February 2017.

The new requirements address four key areas within our Code Signing products and provide a safer experience and minimize the risk of Code Signing attacks.

To reduce the chance of issuing certificates to malicious publishers the guidelines require that Symantec:

  • Follow a strict and standardized identity verification process to authenticate publishers
  • Check all Code Signing orders against lists of suspected or known malware publishers
  • Check all Code Signing orders that were previously revoked by Symantec where the certificates were used to sign suspect code.Code Signing Important

Symantec has also introduced a ‘Certificate Problem Reporting’ system for both Symantec and Thawte Code Signing certificates which will allow third parties like malware organisations and software suppliers to report issues relating to key compromise, certificate misuse and possible fraud. Under the new arrangement, once Symantec receives a request, we will either revoke the certificate within forty eight hours, or alert the requestor that we have started an investigation.

Symantec has enhanced their timestamping services for their Code Signing customers to meet the new requirements. More information can be found in the following KB articles for Microsoft Signing and Java Signing.

The main benefit of using a timestamp is that the signature does not expire when the certificate does, which is what happens in normal circumstances. Instead, the signature remains valid for the lifetime of the timestamp, which can be as long as 135 months.

Symantec has published a set of guidelines on private key protection best practices for Symantec and Thawte Code Signing certificates which must be reviewed and accepted by subscribers as part of the enrollment process. These guidelines makes recommendations regarding the secure storage of private keys to mitigate against the risk of potential vulnerabilities, however it is important to call out that Code Signing minimum requirements published in December stop short of mandating that an OV Code Signing certificate must be stored on a FIPS 140-2 Level 2 HSM or equivalent on premise hardware.

Lastly, any pending Symantec or Thawte Code Signing orders placed before the 25th of January 2017 and not issued before the 1st of February 2017 will be cancelled by Symantec and respective customers asked to re-enroll.

If you want any further clarification about this announcement, or have any questions feel free to get in touch your Certificate Authority who issued your Code Signing Certificate.


Dominic Rafael, Lead Tech Engineer
dsrafael@acmetek.com

WhatsApp Enables Two Factor Authentication Strengthening it’s Security.

WhatsApp Enables Two Factor Authentication Strengthening it’s Security.

WhatsApp is a widely popular free to use cross platform smart phone messaging application that allows users to use their phone service and wifi internet to make voice/video calls, send text messages, documents, images, gif’s, user locations, etc. Its popularity is primarily due to where data rates or roaming charges can cost an arm and a leg.

WhatsApp Inc., based in Mountain View, California, was acquired by Facebook in February 2014 for ridiculous $19.3 billion US Dollars. By February 2016, WhatsApp has a user base of over one billion, making it the most popular messaging application at the time.

Over the recent years Privacy and Security has been a focus on the popular message app. In 2014 WhatsApp implemented end to end https encryption scrambling the information between communicating users. The latest Security implementation is the coming of Two-Step Verification.

What is Two-Step Verification?

Two-step verification is an optional feature that adds more security to your account. The technology is not new, and it has been in use for quite some time. Blizzard Inc. creator of the biggest online MMO (Massive Multiplayer Online) game World Of Warcraft implemented two factor authentication back in 2008 to protect gamers accounts from being hacked. Two-step, or Two-Factor Authentication protects your accounts by requiring you to provide an additional piece of information after you give your password In the most common implementation, after correctly entering your password, an online service will send you a text message or an email with a unique string of numbers that you’ll need to punch in to get access to your account.

Implementing Two Step Verification on WhatsApp:

To enable two-step verification, open WhatsApp > Settings > Account > Two-step verification > Enable.

Upon enabling this feature, you can also optionally enter your email address. This email address will allow WhatsApp to send you a link via email to disable two-step verification in case you ever forget your six-digit passcode, and also to help safeguard your account. WhatsApp will not verify this email address to confirm its accuracy. You will want to provide an accurate  email address so that you’re not locked out of your account if you forget your passcode.

How it works..

After implementing Two-Step Verification if you receive an email to disable two-step verification, or receive a pass-code request but did not request this, do not click on the link! Someone could be attempting to verify your phone number on WhatsApp elsewhere. Meaning that someone is attempting to gain access to your account! Stay secure.


Lead Tech Engineer: Dominique Rafael
dsrafael@acmetek.com

 

GoDaddy & Let’s Encrypt Causes Security Concerns and Leaks.

GoDaddy last week has begun the process of re-issuing SSL certificates for more than 6,000 customers after a bug was discovered with there DV (Domain Validated) automated registrar’s validation process. This automated process of getting a certificate is one of the fastest ways of getting a validated digital certificate used to encrypt and validate websites or networks.

“GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process. ” “The bug caused the domain validation process to fail in certain circumstances.” Thayer VP and General Manager of Security Products at GoDaddy said in a statement.

When we hear terms such as “Improve Certificate Issuance Process” it usually means make things faster, or more automated. Keep in mind that GoDaddy is not a security company they are into hosting. Being a Certificate Authority (CA) is just a by product of the service they provide. The issue exposed sites running SSL certs from GoDaddy to spoofing where a hacker could gain access to certificates and pose as a legitimate site. Enabling a hacker the spread of malware, or steal personal information such as Banking login credentials. This move to “Improve” a certificate issuance comes from fear from a new free CA that has debut called Let’s Encrypt.

Let’s Encrypt is a free, automated, and open CA brought to you by the non-profit Internet Security Research Group (ISRG). The move for this free automated process is to help the industry migrate to enable HTTPS(SSL/TLS) for websites in the most user friendly way possible. It is meant to significantly lower the complexity of setting up and maintaining TLS encryption.

Features of Let’s Encrypt.

  • Let’s Encrypt issues Only domain-validated certificates, since they can be fully automated. Organization Validation and Extended Validation Certificates are not available.
  • Let’s Encrypt issues certificates valid for 90 days. Their reason is that these certificates “limit damage from key compromise and mis-issuance” and encourage automation. The official certbot client and most of the third-party clients allow automation of the certificate renewal.
  • Only Open Source Linux systems are capable with Lets’Encrypt automation.
  • No wildcard functionality (currently).
  • Elimination of payment, web server configuration, validation email management and certificate renewal tasks.

The Ugly/Disadvantages:malvertising

  • One disadvantage that makes big companies Not consider Let’s Encrypt is that visitors that connect to the site can’t be sure that it is the actual company that hosts the site. This is because Let’s Encrypt issues DV certificates for a domain free of charge without identity validation (personal or corporate)
  • Automatic renewal of these certificates tends to lead IT admins to neglect security upkeep’s on there systems. Majority of the time when an admin is made to visit a system due to a certificate needing an update they discover that they are out of compliance with needed patches and configurations. This can lead to backdoor hacking due to dated software and standards if left untouched.
  • The free cost of these certificate allows hackers to achieve a certificate. The potential for Let’s Encrypt being abused by those who can freely get these certificates are very present. Hackers tend to not want to spend money to achieve their goals.

Any technology that is meant for good can be abused by cyber criminals, and digital certificates like those of Let’s Encrypt’s are no exception. This trust system can be abused. There is one reported case where an attacker/malvertiser was able to perform a technique called “domain shadowing.” Domain shadowing is when the attacker is able to create sub domains under the legitimate site. With an embedded advertisement on a website an end user could click on a malicious add thinking that they are visiting an alternate page. In reality though they have been lead to the hackers malvertising server which could download a trojan or Randsomeware into that users system. A certificate authority that automatically issues free certificates specific to these sub-domains may inadvertently help cyber criminals, all with the domain owner being unaware of the problem and unable to prevent it.

Domain-validation certificates only confirm that the relevant domain is under the control of the site recipient. In theory, this will not validate the identity of the recipient. End users that visit these sites are unaware of the nuances of certificates may miss the differences, and as a result, these DV certificates can help the hacker gain legitimacy with the public. There is nothing wrong with the procurement of a DV certificate. Depending on the circumstances DV is advised for internal networks when there is a need for a quick cost effective resolution. Security is always is a Pro-Active industry. Cutting corners and making things easy for the sake of convenience is a double edge sword, and could lead to a loss of business and good reputation. Needless to say approach with caution.


Posted by:
Dominic Rafael
Lead Tech Solutions Engineer
Be sure to Subscribe!!
twitter

Encryption Standards Require Replacing SHA1 With SHA2 Certificates

What is SHA1 and why is it being depreciated?

Security always needs to be a proactive campaign. Not updating or keeping up with the progress of technology will open doors in security and will leave businesses open to be hacked.

SHA1 was the Algorithm that was used to create and sign encryption keypairs that are used to scramble data on websites, and applications. SHA1 was a replacement for MD5, and now SHA2 is the replacement for SHA1. 

 The CA/Browser Forum, is the governing entity of leading web browsers and certificate authorities (CAs) working together to stay proactive with security and publish their Baseline Requirements for SSL regarding the security standards of the web industry. These Requirements recommend that all CAs transition away from SHA-1 as soon as possible, and to discontinuing issuing SHA1 public facing certificates. The reason being that due to the progress of technology this old algorithm is on the verge of being exploited. 

Browser’s like Internet Explorer,  Firefox and Chrome are inforcing these standards but placing errors within their browsers associated with these standards. According to Google’s “Gradually Sunsetting SHA-1”, Chrome version 39 and later will display visual security indicators on sites with SHA-1 SSL certificates with validity beyond January 1, 2016.
In short:
Most browsers will not trust certificates that use SHA1 After 12/31/2016.

If you do not want to get an error on your website you will have to replace that old SHA1 certificate with a newer SHA2. 

 

How to Replace your old SHA1 certificate with SHA2?

To do list:

  1. Identify certificates that have a SHA-1 algorithm. Since the standard is already in effect you would definitely know if you still have a SHA1 certificate from the browser errors you would be getting in chrome.
  2. Contact your Certificate Authority for procedures in replacing any SHA-1 certificates with the SHA-2 certificates.
    Note: If your SSL certificate was issued through Acmetek Click HERE.
  3. Install your new SHA2 SSL Certificate to your server.
  4. Test your SSL installation by using an SSL Checker.

These standards are always changing. Especially with how fast new technologies are coming out. SSL Certificates are a method of enforcing industry standards to make a more secure internet for everyone.


About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.