Since the mid-1990s, SHA-1 digital certificates have been the standard used across the Internet to verify user and device identities. SHA-1 certificates have existed for years on nearly every server and client computing device, providing the foundation for trusted communications between user devices.
But now, this fundamental trust relationship has changed. With recent advances in computing power, the bad guys have finally figured out how to weaken the SHA-1 hashing algorithm—which means that it can no longer be relied on as a standard.
A breached SHA-1 certificate platform can lead to all sorts of dangerous scenarios, such as a man-in-the-middle attack. In this type of hack, a trusted e-commerce site is redirected to a spoofed web site, leading users to unknowingly give their financial credentials to a malevolent party in a distant location.
Because the SHA-1 certificate infrastructure is no longer reliable, it will soon be replaced by the new, more secure SHA-2 standard. In fact, the U.S. Department of Defense (DoD) has required all certificates and applications that use them be SHA-256/RSA capable by the end of 2013. And large commercial entities such as VeriSign, Microsoft, and Google are finally getting on the bandwagon to end SHA-1 use for certificates by the end of 2015.
What You Need to Know About the End of SHA-1
As a company doing business on the Internet, what does all of this mean for you? Here’s a quick rundown:
- The SHA-1 certificate standard, the foundation for digital identity in most networks today, is outdated and vulnerable to attack.
- Starting in 2016, commercial certificate vendors will no longer issue SHA-1/RSA certificates, including code-signing certificates.
- The U.S federal government is mandating for its agencies that all SHA-1 certificates must be transitioned to SHA-2 by end of year 2015, including replacement certificates on internal, on-premises mainframe and mid-range systems.
- Any SHA-1 certificate issued anytime in 2015 will be valid for only one year.
- Businesses that leverage third-party certificates for authentication and code-signing need to work with third-party software vendors to support SHA-256/RSA certificates well before the cutoff dates in order to have time to test in their environments.
Make a Checklist
I recommend moving quickly towards the following goals:
- Evaluate current SHA-1 certificates to determine upcoming expiration dates.
- Put together a plan for transitioning all SHA-1 certificates currently in use to SHA-2 certificates.
- Move to Windows 7 or later as the desktop standard, as SHA-256/RSA signed code-signing certificates are not supported in earlier operating systems.
Look for Trusted Third-Party Vendors
Trusted certificate vendors provide SHA-2 certificates for purchase today. And third-party application software vendors who employ secure development practices also support SHA-256/RSA digital certificate environments and provide applications signed with SHA-2 certificates.
Industry best practice for enterprise software vendors involves using a secure development lifecycle (SDL) practice to develop applications that provide the latest security technology available.
Attachmate Support for SHA-2
Attachmate has been implementing an SDL methodology for many years now. To help you better secure connections to your enterprise systems, including mainframes, we have recently added support for SHA-256/RSA certificates in the following client-based terminal emulation products:
And Attachmate server-based products began supporting SHA-256/RSA in 2013. These products include:
For further details about Attachmate security and support for SHA-2/SHA-256, please visit the Attachmate Security Updates page.