Google is hustling the Internet toward better online security practices, in this case by proactively sunsetting support for the SHA-1 cryptographic algorithm, and with Chrome 39 in November, warning users that sites with certificates that expire past January 1, 2017 are not fully trustworthy.  To ensure the best end user experience for our clients’ customers Yottaa is proactively addressing certificates with an expiry date past 1/1/17 and working with customers to migrate them to SHA-2 certificates.

What is SHA?

SHA stands for Secure Hash Algorithm, and is a family of cryptographic hash functions published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS).  There are four variations of SHA – zero through three.  SHA comes into play for secure (SSL traffic over HTTPS) connections and browser sessions.

In this case, Google is sunsetting support for SHA-1, which is 9 years old and has several known exploits.  In fact, in 2005 when it was first released, security flaws in the form of a mathematical weakness were believed to exist, indicating that a stronger hash function would be desirable. According to Google, “Collision attacks against SHA-1 are too affordable for us to consider it safe for the public web PKI.”  SHA-2 is similar in some ways to SHA-1, however attacks have not been successfully extended to SHA-2.

What is Yottaa doing about this?

Yottaa’s Operations, Security and Support teams are taking several steps to proactively assist our customers with their web security:

1. For customer-supplied certificates that are set to expire, Yottaa is re-
   provisioning SHA-256 (SHA-2 algorithm using 32-bit words) certificates.
2. All current SHA-1 based certificates have been updated to expire in 2015 or 2016 to avoid security warnings in Google Chrome.
3. Yottaa Client Services and Support will begin working on migration plans with customers using SHA-1 encrypted certificates to ensure they are transitioned to SHA-2 certificates in 2015.

As always, Yottaa is committed to providing the ultimate end user experience both for our customers and theirs. There should be no impact whatsoever to end users as a result of these activities.

If you have questions or concerns about your site or compatibility with SHA-2, please do not hesitate to reach out to Yottaa Support.