Connect with us

Hi, what are you looking for?


Security Infrastructure

Akamai to Kill Support for SHA-1 Certificates

Akamai on Wednesday announced that as of Dec 27, 2016 it will no longer support SHA-1 certificates, after only handing out SHA-256 certificates for a period of time starting Nov. 3.

Akamai on Wednesday announced that as of Dec 27, 2016 it will no longer support SHA-1 certificates, after only handing out SHA-256 certificates for a period of time starting Nov. 3.

Last year, a team of security researchers demonstrated that the cost of breaking the SHA1 cryptographic hash function is much lower than previously believed, and tech companies decided to act upon that fast. As a result, Google, Mozilla and Microsoft announced plans to retire SHA-1 in their browsers. Firefox will soon display an error message when encountering SHA-1 certificates.

As of Jan. 1, 2016, most Certificate Authorities no longer issue SHA-1 certificates and the move away from the insecure standard is expected to be completed by Jan. 1, 2017. And with Chrome, Firefox, Internet Explorer and Edge also killing support for the hash function, the only obvious step is to follow suit, Erik Nygren, Fellow and Chief Architect in the Akamai Platform, notes.

Akamai switched to RSA SHA-256 certificates in early 2015 and now says that over 95% of the customer certificates served on Akamai’s Secure CDN have moved to RSA SHA-256. Even so, custom clients or applications that break when the SHA-1 certificate rotates into a SHA-256 certificate continue to emerge, and available options are limited, Nygren says.

One issue that could emerge from the sunset of SHA-1 in browsers is user’s inability to access their preferred websites, provided that these didn’t transition away from SSL certificates using the SHA-1 cryptographic hash function. Thus, companies such as Facebook, CloudFlare, and even Twitter called for a delay in moving away from SHA-1 certificates. 

Akamai too has been “trying to stretch out SHA-1 support as far as safely possible,” Nygren notes, especially since the company still sees a significant number of handshakes completing and using SHA-1. Handing out SHA-1 will cease being possible at the end of 2016, because it would involve serving an expired or invalid certificate to clients (although they might not support SHA-256, they are likely to display an error when encountering an expired certificate).

“To avoid making the change to our shared certificate on New Year’s Eve, we will be shutting off the SHA-1 certificate, and will always hand out an RSA SHA-256 or ECDSA SHA-256 certificate, on or around December 27. Additionally, on November 3, we will be only handing out SHA-256 certificates for a period of time. The goal is to help customers identify a dependance on SHA-1 and give them time to make changes ahead of end-of-year freezes,” Nygren says.

Advertisement. Scroll to continue reading.

Some companies might have a local CA root signing certificate for internal sites, but they too are advised to make sure that SHA-1 certs are no longer in use. While some browsers might have exceptions for these locally installed CA roots, others don’t. Chrome, for example, will return a fatal network error even in these cases.

At this point, the industry is determined to sunset SHA-1 at the end of 2016/beginning of 2017, yet SHA-1 root certificates that perform signatures with SHA-256 will continue to work. “This is because the risk exposure is around performing signatures over a hash function where two certificate inputs can be readily found that hash to the same value,” Nygren explains.

He also notes that all site admins should make sure that they have rotated over to using SHA-256 certificates before the end of the year draws nearer. Applications or devices relying on Akamai’s shared certificate should be tested for handling SHA-256 certificates, so that no disruption appears when Akamai drops SHA-1 support.

Related: New Collision Attack Lowers Cost of Breaking SHA1

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture


Identity and access governance vendor Saviynt has closed a $205 million financing round.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.


Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.

Identity & Access

The National Security Agency (NSA) has published a series of recommendations on how to properly configure IP Security (IPsec) Virtual Private Networks (VPNs).