Standards change in technology all the time. In the 1980s and 1990s there was a standard called “open systems” which meant the Unix operating system and it came in several flavours, neither of which was quite compatible with the rest. It was an interesting use of the word “open”. Meanwhile Windows, a proprietary system, had only one source and so was more open than the open systems themselves.
This anecdote is intended purely as an illustration of how frankly silly some standards can become. It explains in many ways why numerous technology professionals are sceptical when a new standard is established or an old one jettisoned. Nonetheless, it appears that the current security certificate for websites, called Secure Hash Algorithm 1 (SHA-1, here’s its Wikipedia entry), is going to be outmoded within a couple of months. By January 2017, leading web browser companies (we’re talking about Google with Chrome, Microsoft with Edge and Firefox) will no longer recognise an SHA-1 certificate as secure. Here’s Google‘s statement on it, for example.
This is fine. The criteria for a 1989 MOT aren’t valid for the modern day because of emissions and updated technology, and web browsers need to move in the same way. However, there’s a problem. A lot of sites are still stuck on SHA-1.
Standards dictate the need to upgrade
Security company Venafi has done a little research into the issue and discovered that 35 per cent of companies are still using SHA-1 as their certification. That’s 35 per cent of the world’s sites, if the sample in the research was representative (and that’s always a big “if”), which might do any of the following things on 1 January:
- Warn users that the site is insecure. We’ve all seen “certificate is not trusted” signs on websites we visit, these could increase dramatically. Will clients remain on the site or look elsewhere?
- Fail to display the padlock sign that assures customers that, for example, financial transactions are safe
- Perform badly or perhaps be completely blocked
There can be no certainty as yet as to what’s going to happen, but you can be reasonably sure that something will give way. The nearest comparator we’ve seen in recent times is the Millennium Bug in (obviously) 2000, which failed spectacularly to do any damage. In this instance, it’s positively known that the old standard won’t work with modern browsers.
The digital certificate, of which SHA-1 is one, is an important part of establishing trust between users and a website. It encrypts information and assures users that they are through to a legitimate site. “Our whole online world is predicated on the system of trust that is underpinned by these certificates; organisations have an obligation to ensure that this is fixed,” commented Kevin Bocek, chief security strategist at Venafi. “Leaving SHA-1 certificates in place is a like putting up a welcome sign for hackers that says, ‘We don’t care about security of our applications, data, and customers.”
There are still six weeks or so to go. It would be a good time, if you’re responsible for a website (and this means board members who are technically responsible for the whole enterprise), to check that certificates are up to date and ensure your own site will work properly into the New Year.