You’ve seen this before, right? It’s only going to get worse in January.
There is a little-known upgrade going on world wide with the browsers we all use to navigate the Internet. I say “little known” because while we geeks know all about it, most normal computer users don’t know and don’t care about it. Well, you should!
What caused this?
There is a security protocol (known as SHA-1) that give you that little green lock icon in your browser when you visit a secure site. You might not even notice it’s there. It’s important because it’s telling your browser “Hey, it’s ok. You can trust this site! No worries here!” Well, truthfully, people have been saying since 2005 that that level of security isn’t really all that secure. Yeah, it’s secure, but it’s able to be hacked. If you fast-forward to 2016 it’s become so easy to hack that the browsers have collectively gotten together and decided it can’t be trusted. No longer will SHA-1 security be enough to secure a website. Foreign nations can hack it. Enterprising groups of hackers can brute-force their way into it. You can even find instructions for how to break SHA-1 encryption on a Google search these days. Basically – it’s not secure anymore.
Here is an example of a secure connection icon:
Here is an example of what that will look like after the change if it is encrypted with SHA-1:
Why do I care?
For the last year or more, you’ve been seeing errors like the one at the top of this page when you visit a SHA-1 site in your browser. Sometimes Internet Explorer will allow you to see the site but Chrome won’t. Maybe Firefox won’t view it, but Chrome will. It depends on your version of your browser. You should care because effective January of 2017 ALL the leading browser companies have drawn a line in the sand. It’s basically stating that they’ve been warning you for a decade not to use it, but you haven’t listened, so they’re going to completely block access to web sites secured using SHA-1 security. End of story. If the site uses SHA-1, you won’t be able to access it, period.
See that first image above? As of November 2016, you can click the link that says “Advanced” and see another screen like the one below.
Notice that text that says “Proceed to sha2.badssl.com (unsafe)?” That’s the browser telling you that you shouldn’t go on, but you can if you want to. In 2017, that option will be removed.
What can I do about it?
Unfortunately there’s not much you can do about it. That’s not actually a bad thing. SHA-1 security is like using an old fashioned skeleton key on a dangerous mine shaft. It was OK back before everyone learned you can pick them with a flat-blade screwdriver. Now that everyone knows that, you need to use better security to keep people from falling in. Since “you” (the internet at large) hasn’t done that, Microsoft, Chrome, and Firefox are going to do it for you by tearing up the road so you can’t get to that mine shaft anymore. If you can’t get there, you can’t fall in. Get it?
How do I know what sites use it and how I’ll be impacted?
You don’t. Yes, you could technically figure it out, but suffice it to say that’s beyond most people’s skill level. The important thing to know here is that roughly 35% of the Internet still uses this old skeleton key to secure your information. As of January those sites will stop working for you altogether until something is done to remedy their security. Picture it like a big bodyguard walking in front of you all the time. Your browser basically gets to a site a millisecond before you do, looks around the room and says “Ok, it’s safe to come in.” Starting in January that bodyguard is going to walk ahead of you, take one look in the room, and say “No way. No how. Turn around now and go somewhere else. This isn’t safe for you.” It’s not going to ask you anymore, or let you through with a stern warning. It’s simply going to block access to the website altogether.
How this affects our customers
We often get calls from customers that need access to sites to run their business that might not have been up-to-date on their security practices. We get a call along the lines of “Hey, I can’t get to this website anymore. I’m getting some kind of weird block. I really need to get to this site for work. Please fix it.” In the past we’ve been able to employ a number of techniques or tricks to allow certain users to access these sites. When this new practice goes into effect, that ability goes away. That’s why we’re telling you NOW. When you call and we see it’s blocked due to a SHA-1 security issue, there’s not going to be anything we can do to grant you access to it. The internet has been trying to get companies to upgrade for years. The general response from security companies is akin to a parent telling you “I told that child to clean his act up and he didn’t do it. Sorry, but you can’t play at his house any more until he does.”
Things we can’t forecast, but will anyway
There will definitely be some impact to business, and even our industry, especially in terms of hardware with integrated web sites built into them. For example, your business might have a piece of equipment, such as a special router or access point or even a security camera DVR. Often those appliances have built-in web sites that administrators (like us) use to access them and make changes, check on status of devices, or just view reports. If those devices use SHA-1 security, the web interface to them will be broken. Our advice for all businesses is to expect to hear at least once in early 2017 that you have to replace a piece of equipment because it’s not going to be supported anymore. And no, we can’t tell you which devices that’s going to be yet because we aren’t sitting around cataloging security token information for every piece of equipment on the planet. We’ll learn about it the same time you do.
Unlike websites, some of these pieces of equipment might be years old and no longer supported by their manufacturers, so you can’t count on an update being released from them. You’ll be prodded into new hardware instead.
Why are you telling us this?
We’re sharing this for two reasons. First, because you deserve to know how it will impact you. Secondly, we’re telling you so you don’t shoot the messenger in 2017 when companies like ours tell users like you that we can’t support XYZ device or you have to replace XYZ device because it’s no longer supported. Don’t shoot the messenger, ok? (That’s what I should have titled this….)
More links about SHA-1 in the news:
Here are a couple links you can read if you want to hear a more technical version of what we just shared with you.
- 35% of websites still using insecure SHA-1 certificates – From HelpNet Security
- An update to our SHA-1 depracation roadmap – From Microsoft
- Tick-tock: Time is running out to move from SHA-1 to SHA-2 – From Infoworld
- An update on SHA-1 certificates in Chrome – From Google’s Security Blog