Connect with us

Hi, what are you looking for?


Network Security

1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline

In 45 days, Certificate Authorities (CAs) will no longer issue certificates using the SHA-1 cryptographic hash function, but 35% of websites still use such certificates today, a new research from Venafi reveals.

In 45 days, Certificate Authorities (CAs) will no longer issue certificates using the SHA-1 cryptographic hash function, but 35% of websites still use such certificates today, a new research from Venafi reveals.

Last year, security researchers revealed that new collision attacks have significantly lowered the cost of breaking the two decade-old SHA-1 algorithm that became an Internet security standard. This prompted an industry-wide move away from the insecure crypto function and toward the much more secure SHA-2 or SHA-3, after researchers have been urging this change for years.

Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure.

Despite this push, one in three websites is still using SHA-1 certificates at the moment, Venafi says. The number is the result of an analysis of over 11 million publicly visible IPv4 websites, 35% of which face disruptions in the New Year. This also means that many website admins are either currently struggling to replace their SHA-1 certificates or are unaware that they still use such certificates and haven’t located them.

As soon as the SHA-2 migration deadline will arrive, web traffic to affected websites will be disrupted in various ways, Venafi says. Browsers will display warnings to users, informing them that the sites are insecure, and they will no longer display the ‘green padlock’ on the address line for HTTPS transactions. Performance issues are also expected, including completely blocked access to affected sites.

This will impact not only the user experience, but will also result in an increase in help desk calls and a reduction in revenue from online transactions for the affected sites. Long-term reputation damage will also occur, Venafi says.

“The results of our analysis clearly show that while the most popular websites have done a good job of migrating away from SHA-1 certificates, a significant portion of the Internet continues to rely on SHA-1 certificates. According to Netcraft’s September 2016 Web Server Survey, there are over 173 million active websites. Extrapolating from our results, as many as 61 million websites may be using such certificates,” Walter Goulet, cloud solutions ‎product manager at Venafi, commented.

Digital certificates aren’t used only to verify that the website the user connects to is legitimate, but also to determine what can and can’t be trusted during online transactions. This is of critical importance when sensitive data is transmitted, and weak certificates such as those using the SHA-1 encryption algorithm can be manipulated, researchers say.

Advertisement. Scroll to continue reading.

Collision attacks on SHA-1 certificates allow cybercriminals to perform man-in-the-middle attacks on TLS connections, and the more secure SHA-2 algorithm solves these problems. However, as long as many websites still use insecure certs, users connecting to them are at risk.

“Our whole online world is predicated on the system of trust that is underpinned by these certificates; organizations have an obligation to ensure that this is fixed. Leaving SHA-1 certificates in place is a like putting up a welcome sign for hackers that says, ‘We don’t care about security of our applications, data, and customers,” Kevin Bocek, chief security strategist at Venafi, said.

He also explains that, at an average of over 23,000 keys and certificates, many organizations don’t have the necessary tools or visibility to find and replace all SHA-1 certificates in their environment. However, they have only one month and a half to come up with a plan and resolve the issue, because things will be more difficult once their websites start to break.

Related: Akamai to Kill Support for SHA-1 Certificates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.