No SSL, SHA-1, SHA-2? What difference does it make?

Available since 1995, SHA-1 certificates have become increasingly vulnerable, their depreciated hashing algorithms more and more susceptible to hacking.

But SHA-2 makes use of newer, more powerful algorithms which, in a nutshell:

• Make it much more difficult for sites to be impersonated
• Decrease the chances that customers will hand over sensitive personal information to a fraudulent site
• Bring stronger security to online communication

For these reasons, the migration to SHA-2 has been in place for some time now, with various web browsers having already established SHA-1 deprecation dates as far back as 2013. If you do not yet use SSL at all, your site is not benefitting from any of these important advantages.

Without SHA-2, you’re only hurting yourself

Increasing Internet security has become more and more a priority in the last few years with millions of websites impacted by the shift to SHA-2 encryption. While many have already migrated to SHA-2 (or are currently in the process of doing so), some sites are still running on SHA-1 or even no SSL at all. These sites, however, are at risk of a host of associated trust and security problems.

If you’re one of these entities who hasn’t already made the move to SSL and secure website encryption, here are five good reasons not to put it off any longer:

1. No SHA-2, no conversion

Even back in 2017, Certification Authority (CA) GlobalSign reported that 85% of online customers think twice before buying through a website which does not display a green address bar, recognised by most users as a prominent sign that a site’s connection is secure. Lack of security certification only results in lost sales. After all, who wants to provide credit card details to a site that isn’t trustworthy and flashing a big “Not Secure” message?

2. Chrome penalises sites lacking SHA-2 encryption

Since Chrome 56, Google no longer considers SHA-1 certificates to be trustworthy. For the last 3 years, Google Chrome alerts users when they are about to share personal information such as bank account information or passwords on a site which isn’t SHA-2 secure. Customers are now seeing a big red warning which reads, ‘Not secure” and, really, could there be a scarier deterrent?

3. And Chrome isn’t the only web browser issuing security warnings

Since the release of Mozilla’s Firefox 52, the company has been following Google Chrome’s move to create a more secure experience for users. Login and credit card fields on non-secure HTTP sites requesting sensitive user information now display the following popup: “The connection is not secure. Logins entered here could be compromised.” Similarly, Safari is providing a red “Not Secure” warning to users in the browser URL bar.

4. You’re not benefiting from an important ranking factor

Google has determined that a site’s level of encryption is a factor in its search ranking algorithms. SHA-2 is a valued ranking signal. While SHA-2 does not presently carry the same weight as other important factors – namely, strong content – Google has hinted that, in the future, (the lack of) SHA-2 will take on more importance.

5. Your dated SSL certificate is as useful as no certificate

In an effort to reduce certificate vulnerabilities, the CA/Browser Forum – an industry body made of SSL Certification Authorities, web browsers, and operating systems – reduced the validity period for certificates from three years to two years. This change applied to certificates issued after March 2018 so those last SHA-1 certificates are expiring now in 2020 and it’s time to update your encryption!

Get the right SSL certificate for your needs

Certification Authorities offer a variety of flexible SHA-2 certificates to meet your individual needs but, to some extent or another, they will:

• Verify that an entity has the right to use a specific domain name
• Ensure that the entity undergoes some form of vetting
• Alert end users that vetting has taken place, thus increasing their trust

The level of encryption, insurance and corresponding level of trust from users matches the level of company or personal verification required for different SSL solutions.

To discuss different SSL options and advantages please get in touch and we’ll be able to help you make the best choice and upgrade your website’s encryption.