Protiviti / SharePoint Blog

SharePoint Blog

October 23
Warning Your Web Site May Not Be So Secure

Faith1023141.PNG

For the common internet user, the easiest way to tell a website’s security has been to simply look for the “s” after the http in the URL path of a website.  This has been circulated as the method to prove that the data you enter on a site is secured through a certified encryption process.  Overall, this theory is correct, except if the certificate issued to encrypt the data is no longer 100% secure. 

            In the fall of 2013, Microsoft announced their new policy to begin deprecating the usage of SSL certificates that employ the SHA-1 algorithm. The recommendation is to replace all certificates with the updated SHA-2 version.  The reason behind the recommendation, is that SHA-1 encryption algorithms have been in use since the late 1990’s. Just in case you weren’t aware, that’s basically since the infancy years of the World Wide Web. As technology continues to grow and cyber-crimes advance, then so must the security protocols in place to protect the approximately 7.5 billion users of World Wide Web.

            Microsoft’s plan for phasing out these certificate versions has a cease and desist date of January 1, 2017.  However, Microsoft intends on reevaluating this date midway in July 2015 and may move up the timeline according to the imminent threat level. 

Most recently though, Google too joined in the stand for deprecation of the SHA-1 certificates.  Beginning next month, November 2014, Chrome will begin displaying warnings to users on sites that are secured using the SHA-1 certificates. Google has an incremental notification plan based on the SHA-1 certificate type and the expiration date associated with the sites certificate.  To find more details on the key dates to be aware of for Chrome users please visit http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html.

What this means to you….

            If you are a user, it just means that you may start getting security warnings from sites that you have previously used and that you may want to double check a site beyond relying on the “s” before inputting your personal information.  

If you are an admin you should verify the security level of your servers SSL certificates and upgrade them sooner, rather than later. 

Also for any user who would like to check a websites certificate, I have documented the steps to take for 3 of the top browser platforms (IE, Firefox & Chrome). Please follow the instructions below after navigating to the site.

In IE: Right click on the site page and select properties from the menu


Faith1023142.PNG

Next click on the Certificates button:

Faith1023143.PNG

Then choose the Details tab: 

Faith1023144.PNG

In this window you will see the SHA version being used by the SSL certificate on the site.  Image 1 shows a site utilizing the expiring version and Image 2 displays the next version SHA-2 being utilized.

Faith1023145.PNG

In Firefox:  Right click on the site and select View Page Info from the menu

Faith1023146.PNG

Next choose the security tab in the window: 

Faith1023147.PNG

In the security tab select view certificate:

Faith1023148.PNG

In the certificate viewer window navigate to the details tab​ 

Faith1023149.PNG

Under the Certificate Fields section select Certificate Signature Algorithm.  The SHA encryption version will then display in the field value as displayed below.

Faith10231410.PNG

In Chrome:  Right click on the site and select View Page Info from the menu.

Faith10231411.PNG


In the next window select the connection tab and click on Certificate Information :

Faith10231412.PNG

Then select the Details tab to view the SHA algoritm used:

Faith10231413.PNG


Quick Launch


© Protiviti 2020. All rights reserved.   |   Privacy Policy