Google & SSL: Building a Secure Internet

Google dreams of a secure internet; one that runs completely on secured websites. Early September, Google announced that they will no longer trust SHA-1 certificates, and begin implementing transitional warnings in the Chrome browser. When version 39 comes out (estimated to early November), the HTTPS lock in the URL bar will start displaying a warning when SHA-1 is being used.

Other browsers have also announced they have a deprecation plan for 2016 (Microsoft and Mozilla), but not a specific line of action like Google.

Should this get your worried? No! But you should know what it means and react accordingly.

What is SSL & HTTPS?

SSL stands for Secure Sockets Layer, a protocol that allows a secure connection when accessing a website. It encrypts the connection between the server and the client.

  • An encrypted domain looks like: https://www.yourdomain.com/
  • An unencrypted domain looks like: http://www.yourdomain.com/

When you see an “s” at the end of http, it means the site you are visiting is secured with an SSL certificate.

What is SHA-1 & SHA-2?

Those terms designate an encryption algorithm. When an SSL certificate is created, it contains an algorithm which is supposed to be near undecipherable. Until very recently, SHA-1 has been the predominant algorithm used by Certificate Authorities (CA), but SHA-1 has become very weak and most CAs have started offering SHA-2, which is strong and supported almost everywhere.

What’s Google’s Implication in All Of This?

Google announced that “HTTPS sites whose certificate chains use SHA-1 and are valid past the 1st of January 2017 will no longer appear to be fully trustworthy in Chrome’s user interface”. Therefore, Chrome users will begin seeing warnings as early as December when the site uses a SHA-1 certificate.

Chrome Warnings

image courtesy of Eric Mill at konklone.com

For Chrome users, this means that you might start seeing untrustworthy websites, not because they are not secure, but because Google has decided that they are not secure enough. Experts have been agreeing with this practice because SHA-1 is just not good enough anymore.

I Have An SSL Certificate. What Should I Do?

For website owners that have an SSL certificate, you know as well as I do that your certificate equates trust to the customer’s eyes. It is imperative that you make sure that your certificate uses SHA-2. To test this out, use this tool.

If you have a SHA-1 certificate, contact your Certificate Authority and ask if it is possible to re-issue your current certificate with the SHA-2 algorithm. Re-issuing certificates is a common practice and should not be too hard. You will then have to painstakingly go through the reinstallation of your certificate on your site / server.

If you have an SSL certificate with Funio,  we have been providing SHA-2 certificates for some time already, but earlier certificates were created using SHA-1. If you need your SSL certificate re-issued, simply contact our support team and we will gladly take care of that for you. Our automated installation process can then be used to reinstall the certificate on your hosting space easily.

Published on at by Funio Team in: Funio, SSL

Funio Community

Funio on Google+