CA Council to Improve Internet Certificate Security in 2016

On Jan. 1, 2016, the SHA-1 deadline kicks in, helping to kick off what could be a breakout year of Internet certificate security.

Internet Certificate Security

At the heart of much of the Internet's security is the use of Secure Sockets Layer/Transport Layer Security (SSL/TLS), which provides encryption for data in motion. Certificate Authorities (CAs) are the trusted entities that issue TLS certificates, and as a group, the CAs are gearing up for big year in 2016, with multiple efforts designed to improve the security of the Internet.

Among the leading associations of CAs is the CA Security Council (CASC), a group of organizations that got started in 2013 as an advocacy building group for the SSL/TLS industry.

The big change that the CASC is helping to usher in on Jan. 1, 2016, is the widespread deployment of TLS certificates signed with the SHA-2 (Secure Hash Algorithm) cryptographic hash. SHA-2 is the successor to SHA-1, which has been widely deployed in the last decade and is now seen as cryptographically insecure.

"Any Website that needs to get a TLS certificate will only be able to get a SHA-2 certificate as of Jan. 1," Bruce Morton, director of certificate services at Entrust, told eWEEK. "All the modern operating systems and browsers support SHA-2, but a small percentage of older browsers don't support SHA-2."

While some systems and devices don't support SHA-2, the shift on Jan. 1 will not break the Internet or actually change the way the Web works.

"On Jan. 1, nothing really happens that's different than Dec. 31," Doug Beattie, vice president of product management at GlobalSign, told eWEEK. "Everyone has been working hard at replacing their SHA-1 certificates with SHA-2, and that will continue because no one will be able to issue a SHA-1 certificate anymore."

Beattie added that the browser vendors aren't making instant updates on Jan. 1 that disable SHA-1. That said, browser vendors have announced plans to slowly deprecate support for SHA-1, but that's a gradual process and from a user perspective; the Internet will work the same on Jan. 1 as it does on Dec. 31.

"Some organizations, however, might be surprised when they go to renew their TLS certificate in the first or second quarter of 2016 and realize they can't get a SHA-1 certificate," Beattie said.

Both Beattie and Morton emphasized that the CAs have been contacting customers over the course of 2015 with reminders about the SHA-1 deadline and the need to migrate to SHA-2. Approximately 80 percent of Websites are already supporting SHA-2, Morton said.

Even for users on older devices and operating systems that do not support SHA-2 by default, there typically is an easy workaround—just install a new browser that supports SHA-2, Morton said. For example, while Windows XP SP2 doesn't support SHA-2, Firefox can still be installed on that operating system and will provide SHA-2 support, he added.


SHA-1 isn't the only issue that will impact CAs and Web server operators in 2016. The RC4 stream cipher, which is also used in TLS encryption, is also being deprecated across the Internet, as it has been deemed to be cryptographically insecure, as well.

In contrast to the SHA-1 issue, which requires Websites to obtain a new SHA-2 certificate from a CA, with RC4, no new certificate is required.

"RC4 is more of a server-configuration issue," Morton explained. "Organizations need to make sure they are selecting the right set of cipher suites to support secure TLS.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.