After some pushback from the industry, Google has revised its timetable for deprecating support of SHA-1 crypto hash for issuing TLS/SSL digital certificates, but the new schedule still may be too aggressive and nearly impossible for many web operators to meet.
Noting for quite some time that SHA-1 no longer offers an acceptable level of security, Google has made it clear would compel users to update their security certificates, moving from SHA-1 to SHA-2 over the next two to three years. And Microsoft, too, said last fall it would start withdrawing its support from SHA-1 on January 1, 2016, with the transition complete by January 1, 2017.
But the Google's late August announcement that Chrome 39, due to be released within the next 12 weeks, will treat some sites as untrusted and that notifications would began appearing when users accessed those sites, took even advocates by surprise.
The accelerated schedule raised concerns that potentially hundreds of thousands of web operators may not be able to comply in the proposed timeframe and that users would find the notifications both confusing and alarming.
“It took everyone by surprise,” CA Security Council's (CASC) Jeremy Rowley, associate general counsel at DigiCert, Inc., told SCMagazine.com in a Wednesday interview.
While the CASC applauds Google's “endeavor” to strengthen browser security and supports the transition to SHA-2, he explained that a lot of companies are using SHA-1, particularly in China and the first notifications in Google's proposed schedule would hit during the holiday season, when companies can't have any interruptions. Even the adjusted deprecation schedule offers only a little wiggle room.
“It's a nice gesture,” said Rowley, but “accelerating a whole year really messes up the sales cycle.”
The number of organizations and users that the change will impact is currently unknown.
“Maybe Google has numbers on how many people it will impact but they haven't shared yet,” Rowley said. “We know a lot of people using SHA-1. Getting [SHA-2] installed on their systems in the next two months” before the warnings start popping up, might prove impossible.
The warnings might also “confuse the end users of websites,” CASC's Robin Alden, CTO at Comodo CA Ltd., told SCMagazine.com in an interview. “How are they going to understand what that means."
In fact, the alerts may leave them questioning whether they can trust the internet.
Potentially, among the hardest hit be the will be small and medium-sized businesses, which often hire an outside consultant to set up their servers and security certificates then just let them ride for two to three years.
Switching certificates more frequently, unless there is a known compromise, may be cost-prohibitive. Larger organizations, like Google, for instance, change their certificates frequently and may be more current.
To ease the burden and smooth the transition, “we would like to work [Google, Microsoft and others] to get a timeline that works for everyone,” said Rowley. “We need to make sure everyone coordinates so users don't have to change certificates so often.”