Update, 12/10/2015: Check out SHA1 sunset will block millions from encrypted net, Facebook warns
I came across this great new open source website, Shaaaaaaaaaaaaa.com (awesome domain), that will check whether or not the SSL certificate you installed on your website will be deemed obsolete and worthless by Google next month. Just enter your website’s URL and it will analyze your SSL certificate – you know, the SSL cert – the thing that adds the padlock and the HTTPS to preface the URL of your website. Yes, Google is also judging you for your cert now, and this news is coming right on the heels of the speculation and buzz around Matt Cutts’ speculation and buzz that he’d like to see SSL and HTTPS become a ranking factor in Google search results.
I like to use a lot of insanely hyperbolic loaded language in my headlines and introductory sentences, so let me start by explaining what I mean when I say “before Google Distrusts You”. I mean distrust in this sense as a verb, like unfriend – and you don’t want Google to unfriend you, do you?
And yet Google might do just that. It will start slowly, almost imperceptibly at first. In the coming months as Google rolls out new updates to Chrome your site visitors may start seeing warning signs in the form of a yellow triangle over your once seemingly rock-solid and trustworthy padlock. If you don’t do anything about it that may escalate to having the padlock removed altogether! And in several more months, if you’ve still done nothing about it, Google will morph from a seemingly harmless ambivalent former friend to an actively hateful and spiteful Ex, slashing your HTTPS in half with a bright red line and spray-painting a big red X all over your once secure padlock.
Scared? Don’t be. Because it’s pretty easy, and usually free, to fix. Here’s what’s happening: Google is slowly phasing out SSL certificates created with the older SHA1 algorithm in favor of those created with the newer and more secure SHA2 algorithm. (This post could turn ugly and overly technical really fast if I start throwing terms like RSA keys around, and start expounding on why SHA256 bit encryption is way better than SHA128 bit, but you don’t even need to know anything that technical to fix the problem).
Go back to how ever you installed your SSL cert in the first place, get a new one issued that’s been encrypted with the newer SHA2 algorithm, and just install it. That’s it. For example, if you used RapidSSL or GeoTrust, just login to their website and ask them to reissue your certificate with SHA256 bit encryption. Which leads to my next question, just how did you install your SSL cert in the first place?
There are basically 2 types of SSL installation techniques you could have gone with: you either understood how to generate a self-signed certificate request, purchased and downloaded a newly issued SSL cert and installed it yourself, or you just asked your server guy or girl to do it. I’m willing to bet about 9 out of the 9 people who read this post fall into the latter category, so all you have to do to get the new SHA2 cert installed is just call your hosting company and ask them to do it for you. If you fall into the former category, you’re probably already shaking your head at the fact that this blog post was published via WordPress and not painstakingly yet lovingly and laboriously hand coded over the course of several hours in vi (screw emacs) on an SSH terminal in X Windows. There are, of course, more detailed instructions in case you don’t neatly fit into one of those two categories.
OK, we’ve got the how out of the way, now for the So Why exactly did Google just tell everyone they should get an SSL certificate installed and then basically make almost half of the internet obsolete*? It’s not because they’re evil, or are trying to make money (well sometimes), or are trying to keep you on your toes (well, maybe that one too). It’s because in this instance they actually have the good of the internet and everyone on it in mind. The internet is just as insecure as it always was, but hackers and their tools are getting better and more efficient. SHA1 is becoming weaker and less secure every day. And since a lot of people think you can just install SSL and Voila! everything is secure (no, it’s not), it’s even worse for people to have false faith in an SSL that doesn’t even do the one thing it’s supposed to do well, which is encrypt network traffic effectively.
Their well-meaning and noble intentions aside, none of this changes the fact that Google really kind of sprung this on everyone. Not only does the installed certificate have to be upgraded to SHA2, but every cert in the chain has to as well! Which means new intermediate chain files need to be installed with it on your server. I realize you probably have no idea what I’m talking about, but to give you an idea, as of this writing a very popular and widely used CA (Certificate Authority) that I’ve used before, RapidSSL, still has not announced a definitive date that it will even have these chain files ready to be issued! Now, it’s one thing for a developer or a marketer to be late hearing the news that a new SSL algo is being required, but it’s another altogether for any netsec folks to be caught off guard. I’ve talked to some server admins who had no clue this was as far reaching as it is, because they assumed intermediate chains wouldn’t be effected. But it will actually require all these CAs to update their own certs, which then trickles down to require everyone to whom they’ve ever issued a cert to update not only their own certs but their chains as well.
And RapidSSL is not the only one with no intermediate chains to offer; there are plenty of other CAs that just don’t have them ready yet. (or at least not readily available where you can find it via a Google search, which I couldn’t). A couple of them do, and Eric Mill’s tool either lists them or links to pages which list them, and I’m sure it will be updated as more do roll them out.
* That’s a gross conjecture I just created based on this guy’s actual thoughtful research. Even if 45% of the top 100k sites on the web use SSL, I highly doubt that number could be extrapolated to estimate the percentage of sites on the internet using it. And even if it did, I have no idea how many are using SHA1. Insanely hyperbolic.