SSL Certificate Review

Information Security at FireOak StrategiesOver the past few years, the major web browser vendors have all announced plans to discontinue support for SSL/TLS certificates that use the “SHA-1” signature algorithm due to security concerns. The SHA-1 algorithm is comparatively weak and its use could allow an attacker to impersonate your sites and domains online.  A similar flaw was discovered in the older “MD5” algorithm, which was subsequently used in a number of cyberattacks and malware campaigns.    

Google has recently announced that they will be removing support for SHA-1 from their Chrome browser at the end of January, 2017. Users who visit https-protected websites which use SHA-1 after this date will be greeted with a security error and will be unable to use the site.  

All website administrators are urged to review their sites to check for any hidden uses of SHA-1 certificates. In large organizations with many certificates in use, it is likely that some rarely-used services, third-party vendor sites, or development sites are still using SHA-1 signed certificates.