At some point during the summer of 2017, your customer-facing and internal web applications that rely on SHA-1 hashing will be inaccessible to users. Though no specific date for this shift was given, Microsoft says that it's Edge and Internet Explorer browsers will no longer support TLS certificates signed with the SHA-1 hashing algorithm. Similarly, Google Chrome and Firefox also plan to phase out support for the algorithm. Microsoft and others are phasing out SHA-1 because researchers now say that attackers could forge certificates signed with that algorithm using about $120,000 worth of computing resources, an amount well within the budgets of organized criminal groups.
Now is the time to conduct an inventory of which web applications need to be updated with stronger hashing algorithms.
ExtraHop offers a Certificate and Encryption Auditing dashboard that reveals which applications in your environment are using SHA-1 certificate signing. This dashboard is automatically populated based on the ExtraHop platform's passive analysis of traffic—no manual configuration or tagging required!
With the ExtraHop platform, you can:
- Catch insecure hash functions still used to sign certificates, such as MD5 and SHA1
- Find weak ciphers being used in your environment
- Track expiring certificates that could impact service delivery
- Audit usage of non-compliant and outdated protocols such as SSLv3 or TLSv1.0
- Identify anonymous ciphers vulnerable to man-in-the-middle attacks
Try ExtraHop for yourself in our online demo. To see all sessions by TLS version and all cipher suites in use, just select the Metrics tab at the top of the page and then SSL Servers from the list of activity groups. If you are already an ExtraHop user, you can get the Encryption: Cipher Suite Auditing dashboard by making sure the Essentials bundle in your ExtraHop is enabled.