A collaborative security group has announced successful "Freestart Collisions" on SHA-1 (https://sites.google.com/site/itstheshappening/). While this type of collision doesn't directly lead to full collisions with SHA-1, it enabled them to better predict the viability of a successful SHA-1 attack. As a result, they urge website administrators to replace their SHA-1 certificates.
Hashing collisions occur when two different messages or certificates hash to the same value. In the case of SHA-1, the resulting hash is 160 bits, however the researchers have built on some past cryptanalytic advances which weaken the hashing strength. With higher computing power at lower prices, the possibilities of breaking SHA-1 increase every month.
GlobalSign supports the CA/B Forum which prohibits all publically trusted CAs from issuing SHA-1 SSL Certificates after December 31, 2015. We also follow further industry guidelines (first proposed by Microsoft in 2013) to remove trust for all SHA-1 SSL Certificates starting January 2017.
As part of our ongoing customer communications, we urge all customers to renew or reissue their SHA-1 certificates in 2015 - this latest report is another reminder of the importance of upgrading to preserve the security of your website.
Upgrading your certificate to the more secure SHA-256 algorithm is very simple, and it is also free. We provided a step-by-step guide to help with the transition in one of our previous blogs: 3 Easy Steps to migrate your Certificates from SHA-1 to SHA-256.
In the event that some legacy applications still require SHA-1 during 2016 GlobalSign provides the following two options:
Request and receive a new SHA-1 certificate before December 14, 2015, which is the cut-off date for GlobalSign accepting new SHA-1 orders.
When public trust is not needed, use IntranetSSL.
When you renew or reissue your SSL Certificates, consider using RSA keys longer than 2048 or ECC keys of 256 or 384 bits for optimal security.
For more information or advice, you can consult the full report at https://eprint.iacr.org/2015/967.pdf or get in touch with a Globalsign expert!