SHA-1 Certificates: Talking to Your Leadership about the Business Risk

Yeah, you know you need to upgrade from SHA-1 to SHA-256. Given the number of legacy and third party products in your environment, it’s not going to be easy, fast or cheap, but you’ve cataloged what needs to be done and you have a plan. Now you have to sell the business on that plan in order to get/maintain the necessary funding. How can you do that? Business leaders are not likely to respond to deep technical arguments; they need (and want) a clear explanation of the risk. How do you explain to your business the risk of continuing to use SHA-1 certificates? With public trust SSL certificates, the impact is apparent and very visible. Visitors to your website (including customers and prospects) will get a message that your website certificate cannot be trusted and will be asked whether they want to proceed. Some will opt not to, thus reducing traffic to your site. Those that do continue to your site may feel a lower level of trust in your site and organization. The same issue holds in many private trust scenarios; perhaps you have set up an internal PKI to manage partner and customer portals. Again, those partners and customers...
Read more

Why SHA-1 Migration is Hard, And How to Address the Challenge

It’s not breaking news that we need to stop using SHA-1. Public trust CAs stopped using SHA-1 to sign certificates in January 2016, and browsers stopped trusting SHA-1 certificates in January of 2017. Google’s February announcement of a SHA-1 collision added some extra urgency to the situation. And yet, despite repeated warnings and recommendations to move off of SHA-1, a large number of organizations still use it – some in their public trust certificates (as of April, Netcraft had counted over 75,000 public trust certificates on the Internet still using SHA-1), others in private trust scenarios (in March, Venafi estimated that about one in five public websites still had SHA-1 certificates – many of these websites may be using private trust in order to continue supporting SHA-1). It would be easy to write a blog critical of those organizations that are not keeping up with cryptographic best practices, but sarcastic, condescending blog posts aren’t going to help the situation, and they don’t address the underlying question: WHY?  Why have so many organizations delayed their SHA-1 migration? Quite frankly, sometimes that migration can be difficult and expensive. Think about what it means to be using SHA-1. If you have two systems that communicate...
Read more

Certificate Management: To Client or Not to Client

I thought about titling this blog, “Are Clients Dead?”, but that’s an absolutist question meant to provoke, and I’m getting exhausted with security absolutism these days. Never mind clients: nuance is certainly not dead. With that in mind, I’d like to take you through some of the questions you might ask yourself as you determine whether to deploy clients to help automate certificate management. Recall that a client is a piece of software that you deploy on various endpoints in your infrastructure so that you can help manage and control how the endpoints interact with a particular process or technology. In the case of PKI, and certificate management in particular, you might deploy clients to automate certificate issuance and renewal. The client can submit the certificate request and install the returned certificate on the endpoint, with little or no interaction from the end user. This helps ensure ease of use and uniformity in the process. Clients used to be the best / only way to enable smooth interaction with the endpoint, but they had downsides too. First of all, you needed a client for every operating system in the infrastructure. If you had a fairly homogeneous set of endpoints (all running...
Read more