Despite months of reminders and warnings, more than one-third of websites will become inaccessible come 2017. There is barely a month left before major browsers start blocking websites using certificates signed with the SHA-1 hash, but 60 million-plus websites still rely on the insecure encryption algorithm, according to the latest estimates from security company Venafi.

Starting Jan. 1, Mozilla's Firefox browser will show an "Untrusted Connection" error for sites using a SHA-1 certificate, and Google's Chrome browser will drop all support for SHA-1 and completely block sites using SHA-1 certificates. Microsoft has said its Edge and Internet Explorer browsers will start blocking the sites outright on Feb. 1, 2017.

[ Also on InfoWorld: 19 open source GitHub projects for security pros. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]

These error messages are different from the browser warnings users typically see for incorrectly configured site certificates, which users can ignore and still access the site. In the case of Google, Chrome will display a network error with no way for the user to bypass and still get to the site. Mozilla will allow Firefox users to override the error message if the issuing certificate authority is included in Mozilla's CA Certificate Program.

Users will no longer be able to access these websites after the deadline, significantly disrupting business operations, warned Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. While there has been significant progress with the migration -- Mozilla said last month that the use of SHA-1 on the web since May 2016 has dropped from 3.5 percent to 0.8 percent -- enough websites are still relying on the weak certificates. These organizations are at risk for security breaches, compliance problems, and outages affecting security, availability, and reliability.

The case for the SHA-1 migration

For years, experts have warned of the security weaknesses in SHA-1 that make the hash particularly susceptible to collision attacks. The National Institute of Standards and Technology (NIST) called for dropping support for SHA-1 back in 2006. New collision attacks have significantly lowered the cost of breaking SHA-1 algorithm, raising concerns that it won't be long before there is a serious cryptographic break. As such, the transition deadline for SHA-1 is long overdue.

"Successful attacks on SHA-1 are well within reach of nation states and other sophisticated adversaries, and these allow them to 'mint' trusted SHA-1 certificates," Bocek said. As early as 2012, attackers were able to distribute the Flame malware using forged Microsoft MD5 certificates.

The industry has been moving away from the insecure cryptographic function toward more secure alternatives, but the migration has been both challenging and time-consuming. The average organization has more than 23,000 keys and certificates, and most typically have poor visibility over how these certificates are being used within their environment. They struggle to get started because they have to first identify all the SHA-1 certificates that need to be replaced. This isn't as simple as getting new certificates from the certificate authority and slotting them in place. It's a multistep process of identifying all the certificates that need to be changed, deploying and testing the new certificates, revoking old certificates, and setting up controls to manage the new certificates.

For many organizations, the process of migrating away from SHA-1 to SHA256 or other safer cryptographic functions is like an unpleasant visit to the dentist, Bocek said.

The coming changes in browsers

Major web browsers have been warning of the impending changes for months. Chrome and Firefox currently display a certificate error warning for sites using SHA-1 certificates issued on or after Jan. 1, 2016. Edge and Internet Explorer have already stopped displaying the address bar lock icon, which indicates the site is secured and trusted, for sites using SHA-1.

Chrome 56, scheduled to be released at the end of January, will be the first version of the browser with support for SHA-1 certificates removed completely. However, the browser will distinguish between certificates chained to a public certificate authority and those chained to local CAs until 2019 to support enterprises who want to continue using SHA-1 certificates for internal applications. Starting with Chrome 54, site administrators will have to deploy the EnableSha1ForLocalAnchors policy to allow certificates chained to local trust anchors. This policy must be set, or SHA-1 certificates chained to locally installed CAs will also started being blocked by Chrome 57, expected in March 2017.

Google may choose to remove support for locally signed SHA-1 certificates before 2019 in the event of a serious cryptographic break. Enterprises should be using this two-year reprieve to migrate those internal certificates off SHA-1.

Firefox 51, currently in Developer Edition and expected to be released in January, would display the Untrusted Connection message starting January, but users will be able to override the warning for the time being. Support for SHA-1 certificates from publicly trusted CAs will be completely disabled "in early 2017," Mozilla said. SHA-1 certificates that chain up to a manually imported root certificate, as specified by the user, will continue to be supported, but Mozilla encouraged enterprises to migrate those certificates as soon as possible.

Don't wait until things are broken

Online trust relies on all the players working together, and digital certificates are a key component of the trust equation. If the organization relies on weak certificates, they are undermining the trust model. Certificate authorities were supposed to stop issuing SHA-1 certificates after Jan. 1, 2016, for example. If the CA is still issuing SHA-1 certificates, then organizations should change CAs.

Cryptographic projects are hard and the price for making a mistake during deployment can be high, so many businesses have stuck their heads in the sand instead of dealing with the migration to SHA-2. However, the deadline isn't going away, and the organizations will see actual business impact for delaying the process. Many organizations will be operating with smaller IT staff as employees take time off before the end of the year, making the process even more challenging. Even so, it will be far better to work on the bulk of the migration in the time left, rather than try to fix the problems after things start breaking in January.

"Leaving SHA-1 certificates in place is like putting up a welcome sign for hackers that says, 'We don't care about the security of our applications, data, and customers,'" Bocek said.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.

InfoWorld Security

When is the best time to deliver a security message?

A group of researchers from Brigham Young University has been tracking users’ neural activity while they are using a computer, and have discovered that security warnings are heeded more if they don’t pop-up right in the middle of a task or action that requires the users’ attention.

delivering security messages

Humans are generally bad at multitasking, and they will ignore such messages in most cases when they are watching a video, typing, or inputing a confirmation code, i.e. when we can’t attend to the message without it affecting the quality of our first task or give enough attention to it.

The best moments to spring a security warning is when the user waits for a web page to load or a file to be downloaded/processed, switches to another site, or after he or she is done watching a video.

Anybody who has ever used a computer and ignored their fair share of security messages will not be surprised by the results of this study.

But it is surprising that the software industry hasn’t already made it so that all security messages that don’t require immediate attention are shown when a task is started, finished, or the user is waiting for a task to complete.

While it might seem that this study was a waste of time that proves something we all know, it will have an impact on our daily lives – or, more specifically, on the lives of Google Chrome users.

The research was performed in collaboration with Google Chrome security engineers, and its results convinced them to tweak the timing of the security messages in future versions of the Chrome Cleanup Tool.

Hopefully, other software makers will follow. With the human element consistently being the weakest point of the security chain, we need all the help we can get to make the right choices.

Help Net Security

As some point you have probably downloaded a "free" piece of software only to find it has come with a whole host of other unwanted friends that go on to redirect your browser search bar or inject ads where there weren't any before.

This is the world of pay-per-install (PPI) and Google, along with New York University and the International Computer Science Institute, spent a year digging into the little-understood market, publishing their results in a paper [PDF] this week.

What they found over the course of 12 months makes for sobering reading: the issue of PPI is three times greater than malware: no less than 60 million download attempts every week. That's something that the authors say represents "a major security threat". They estimate as many as five per cent of all browsers have been affected.

Why is it such a big problem? Two reasons: first, it is not illegal. Companies that want their software on millions of people's system pay publishers to bundle it with legit software that the user then actively chooses to download and install.

That pushes the law right to its very boundaries but the fact that a number of big name companies, including Skype and Opera, are using this method to disburse their software is testament to the fact it is not a crime.

The second big reason that PPI is a so widespread is, of course, money. The authors note that one of the four large PPI outlets that they looked at took in $ 460m in revenue in 2014. With money like that, you can expect interest.


And sophistication. The paper notes that the download bundles come with a good degree of technical know-how. Variations in software to account for different operating systems and browsers are automatically installed. PPI publishers store between five and 50 different offers/bundles and provide whichever is most effective for your particular machine.

Some software builds in a 20-day delay before waking up so users don't immediately associate it with the free download they just installed. Some check in the computer's registry for anti-virus and that they're not already installed.

The team found a total of 15 PPI affiliate networks dotted around the globe providing a total of 160 software families. And it dug into pricing: the price you pay to have your software installed comes as a per-install cost and varies according to region and network. For one network, the cheapest cost was $ 0.06 or six cents for Vietnam, up to $ 1.50 per install for North America. The United States was persistently the most expensive market, followed next by the UK.

Despite efforts to block the installations from occurring, the PPI networks have a wide variety of ways to bypass their efforts. The paper's authors found that affiliates jump between domain names every seven hours in order to constantly stay ahead of blocking efforts. They incorporate technology to get past filters and virus scans.

Despite the team noting that 59 per cent of the software they discovered was flagged by anti-virus as "unwanted", that still means more than 40 per cent of it was getting past – and that's for systems with antivirus on.


As for where you can pick these delightful pieces of software up from: the greatest percentage of bundles came through freeware and shareware websites (11.8 per cent) but there were a wide range of other outlets: websites offering video games, file sharing, online video, operating systems, hacked and cracked software, and so on.

In short, if you are trying to download something for free that you know you should really be buying, chances are it will come with some unwanted extras that your system will not notice.

"PPI networks operated with impunity towards the interests of users, relying on a user consent dialogue to justify their actions," the report notes. "We hope that by documenting these behaviors the security community will recognize unwanted software as a major threat."

In a related blog post, Google noted that it was constantly improving and updating its "safe browsing" notices in order to flag up sites that includes this sort of software, and its Cleanup Tool that helps prevent their installation. It is also a part of the Clean Software Alliance which is building an industry-wide approach to blocking these sorts of downloads. ®

Sponsored: The Nuts and Bolts of Ransomware in 2016

The Register - Security