SHA-1 Certificates: Talking to Your Leadership about the Business Risk

Yeah, you know you need to upgrade from SHA-1 to SHA-256. Given the number of legacy and third party products in your environment, it’s not going to be easy, fast or cheap, but you’ve cataloged what needs to be done and you have a plan. Now you have to sell ... Read More

Why SHA-1 Migration is Hard, And How to Address the Challenge

It’s not breaking news that we need to stop using SHA-1. Public trust CAs stopped using SHA-1 to sign certificates in January 2016, and browsers stopped trusting SHA-1 certificates in January of 2017. Google’s February announcement of a SHA-1 collision added some extra urgency to the situation. And yet, despite ... Read More

Certificate Management: To Client or Not to Client

I thought about titling this blog, “Are Clients Dead?”, but that’s an absolutist question meant to provoke, and I’m getting exhausted with security absolutism these days. Never mind clients: nuance is certainly not dead. With that in mind, I’d like to take you through some of the questions you might ... Read More