Why You Need to Encrypt Your Web Assets with SHA-2 in 2016
February 26, 2016 | Petar Petrovic
Ensuring your infrastructure is secure enough for users to browse and conduct business on can be a tricky business.
New security vulnerabilities are popping up every day in software frameworks, protocols, and operating systems. And while some of these vulnerabilities are very hard to stop, the vast majority of them can be thwarted with a simple and cost-effective security measure: SSL/TLS.
However, since a working version of the SSL security protocol was initially released in 1996, a lot has changed, including the reliability of the cryptographic hash that the protocol is based on: SHA-1.
Big players in the web performance and security industry such as Google, Microsoft, and Mozilla have announced that their web browsers will stop treating certificates generated through SHA-1 as secure starting on January 1, 2017.
Why SHA-2 Is Needed
To understand why SHA-2 is needed, you need to have a basic understanding of HTTPS.
Search engines like Google have considered HTTPS a ranking factor for quite some time. Also, the computing power of devices we use every day has skyrocketed over the years, making it easier for them to efficiently handle encrypted connections. Pair these facts with the business value of SSL/TLS and it’s safe to assume that non-HTTPS sites will soon become an ugly relic of the past.
When you purchase a security certificate from a Certified Authority, the certificate is generated with a particular algorithm that is hard to break. This makes it difficult for malicious users to hack into the transport line your web content passes through (hence the name TLS, transport layer security.)
One of the most widely-used algorithms to generate these certificates is SHA-1, but this algorithm was considered compromised about a decade ago. Way back in 2005, several crypto analysts found that SHA-1 was not secure enough to be used in the foreseeable future.
The reason popular search engines are making the decision to stop treating SHA-1 as secure is because there is a fairly high possibility of a successful attack on the SHA-1 algorithm in the next year or two. Considering the fact that mainstream computing devices get more powerful every day, cracking the SHA-1 algorithm on a typical modern laptop could be quite possible very soon.
A solution? Use a better algorithm of course.
What SHA-2 Looks Like
SHA-2 is a hashing algorithm that is much stronger than SHA-1. While SHA-1 produces a 160 bit-long hash value, SHA-2 can produce much wider hashes, starting from 224 bits and higher. Commercial SSL/TLS providers usually use 256 bit-long hashes for new certificates, which is why SHA-2 is commonly referred to as SHA-256.
Example of SHA-1 Hash
Example of SHA-2 Hash
In theory, with enough computing power, 256-bit hash values can be cracked and the encrypted information accessed. However, in practice, that’s still not viable due to today’s hardware limitations in 99.9% of cases. That being said, think of SHA-2 as a much more secure algorithm compared to SHA-1.
How to Transition to SHA-2
Transitioning from SHA-1 to SHA-2 is very straightforward.
First you should reach out to your SSL provider and check if the SSL certificate you purchased is already generated through SHA-2. In case it isn’t, most providers will be more than happy to regenerate the certificate for you. (You may need to generate a new private key though).
Our CDN backend infrastructure supports SHA-2 certificates and more and more of our clients are switching to them every day. In case you get stuck along the way, you can always reach out to our support team for immediate assistance.
Verify Your SHA-2 Certificate
You can use the OpenSSL command line utility to verify you have a SHA-2 certificate on your domain. All you need to do is enter the following command in your terminal. (Replace maxcdn.com with your origin URL or CDN URL.)
$ openssl s_client -connect maxcdn.com:443 < /dev/null 2>/dev/null | openssl x509 -text -in /dev/stdin | grep “Signature Algorithm”
After hitting Enter, you should see an output similar to this:
Signature Algorithm: sha256WithRSAEncryption
If you do, you can rest easy knowing you’re officially running a SHA-2 certificate.