SHA stands for “secure hash algorithm”. It is an algorithm that is used to generate SSL certificates. SSL Certificates are used by web browsers to verify the authenticity of a webserver.
Traditionally most SSL certificates rely on the SHA-1 algorithm for validation. The SHA-1 algorithm was initially introduced 20 years ago and was appropriate for use by computers from that time. Modern computing has advanced to the point where the SHA-1 algorithm is considered to be insecure.
Businesses large and small have been working on plans to address the security issues with SHA-1 for some time. Here at ESG we have been making plans to transition our clients from SHA-1 to SHA-2 gradually between 2015 and 2016. We have started this migration as of January 2015. This is a similar approach to that of companies such as Microsoft and Google which announced that they will be deprecating the use of SHA-1 and will start using the new and more secure algorithm, named SHA-2. Additionally ESG will be migrating clients from 128-bit encryption to 256-bit encryption during this same process.
How will this impact you as an ESG client? The transition will be pretty seamless. We will be replacing your old SHA-1 secure certificates with new SHA-2 certificates as they come up for renewal. The replacement process often takes just a few minutes. Should we need to restart your hosting server or e-mail server, we will be in touch with you to coordinate.
How will this impact your clients or web visitors? Part of the reason we at ESG are getting ahead of this curve is to avoid situations where your website or e-mail server could be viewed as insecure. The “examples” link below details what will happen on web sites/servers and e-mail servers that do not upgrade to SHA-2 by the end of 2016.
What should you do if you are working with a customer/client/vendor and they do not have a SHA-2 certificate or a plan in place? Have them contact their IT provider or, better yet, have them talk to us at ESG. This change is largely “behind the scenes” but it is a critical part of an overall website and e-mail security plan. If you are working with a third party and their IT is not helping them with this, you risk having the information you share with them be exchanged over the less-secure SHA-1 platform.
Details about this change:
Example of the older, soon-to-be-replaced SHA-1 and 128-bit encryption:
In the example above, you can see that the browser is seeing this as a SHA-1 certificate and 128-bit encryption. Once upgraded, this website will show the more secure SHA-2 as well as 256-bit encryption.