(The Hosting News) – ASEOHosting, a leading provider of international SEO hosting, has released an advisory to its clients concerning the recent announcement from Google that SHA-1-based SSL certificates with expiry dates after 2016 will prompt a visual security warning in the Google Chrome browser.
There appears to be confusion among web hosting clients as to the likely impact of Google’s planned deprecation of SHA-1. To ensure that hosting clients have the information they need to make an informed decision, ASEOHosting is releasing an advisory notice.
“We believe that thousands of site owners and eCommerce merchants could be adversely affected by the early deprecation of SHA-1 in Google Chrome,” commented Daniel Page, Director of Business Development at AHosting, Inc., “While we acknowledge that SHA-1 is potentially insecure, the timing of the deprecation gives clients very little time to prepare in advance of the holiday season.”
Hosting clients who use SHA-1 signed certificates that will expire after 1 January 2017 should replace their certificates with ones that use the SHA-2 hashing algorithm: most certificate authorities will reissue certificates without cost.
Google would like sites to upgrade to SHA-2 (SHA-256) well before 2017, and plans to start showing a visual indication of potential insecurity for sites with SHA-1-signed certificates that expire after 1 June 2016. Google plans to introduce the changes in the beta version of Google Chrome in November and thereafter in the stable version. The move may impact site owners and eCommerce retailers in two ways:
Users may be given the impression that a site using SHA-1 is insecure, potentially impacting sales and user trust.
To avoid undermining user trust, site owners with SHA-1 certificates may decide to have their certificates reissued using SHA-2.
Some browsers, including older versions of Internet Explorer, do not support SHA-2, and site owners will have to make a decision about whether to support users of those browser versions.
SHA-1 is no longer considered a secure hashing algorithm. In theory, it’s possible that a malicious individual with sufficient resources could induce a certificate authority to produce a hash collision on a SHA-1 signed certificate, which would allow them to circumvent the identity validation offered by certificate authorities. In practice, a successful exploitation of the vulnerability is unlikely to be within the means of criminals until 2017 at the earliest.
AHosting is a managed web hosting provider with facilities in Orlando, FL, and Detroit, MI, owned and operated by AHosting, Inc., supplying hosting services that are truly beyond imagination. Since 2002, AHosting has established one of the web’s premier solutions for reseller web hosting, multiple IP hosting, dedicated servers, and VPS hosting. For more information, visit http://www.ahosting.net.