TMCnet News

Venafi Research: Twenty-One Percent of Websites Are Still Using Insecure SHA-1 Certificates and Putting Users at Risk
[March 08, 2017]

Venafi Research: Twenty-One Percent of Websites Are Still Using Insecure SHA-1 Certificates and Putting Users at Risk


New research from Venafi® Labs shows that 21 percent of the world's websites are still using certificates signed with the vulnerable Secure Hash Algorithm, SHA-1.

On February 23, 2017, Google (News - Alert) affiliated security researchers announced they cracked the SHA-1 security standard using a collision attack. The incident proved that the deprecated cryptographic secure hash algorithm still used to sign many website digital certificates can be manipulated. Newly issued certificates using the SHA-2 family of hash functions solve these problems, but Venafi Labs' research shows that many companies have not replaced all their certificates with ones signed by SHA-2. This leaves organizations open to security breaches, compliance problems, and outages that can affect security, availability, reliability and even profits.

"The results of our most recent analysis are not surprising," said Kevin Bocek, chief security strategist for Venafi. "Even though most organizations have worked hard to migrate away from SHA-1, they don't have the visibility and automation necessary to complete the transition. We've seen this problem before when organizations had a difficult time making coordinated changes to keys and certificates in response to Heartbleed, and unfortunately I'm sure we are going to see it again."

Web transactions and traffic may be disrupted in a variety of ways due to use of insecure SHA-1 certificates:

  • Browsers will display warnings to users that the site is insecure, prompting users to look for an alternative site.
  • Browsers will not display the 'green padlock' on the address line for HTTPS transactions; consumers rely on this icon as an indication that online transactions are secure and private.
  • Sites may experience performance problems; in some cases, access to websites may be completely blocked.

In addition to the seriousimpact on user experience, websites that continue to use SHA-1 certificates are likely to experience a significant increase in help desk calls and a reduction in revenue from online transactions as users abandon websites due to security warnings.



Encryption is required for private and secure communications and transactions. Digital certificates are used to identify and authenticate machines and establish encrypted sessions between users and websites. Digital certificates also verify that the website to which the user is connecting is legitimate and all web browsers use certificates to determine what can and can't be trusted during online transactions. This is particularly critical in transactions that include sensitive data such as eCommerce and online banking.

In February 2017, the Venafi Labs research team analyzed data on over 33 million publicly visible IPv4 websites using Venafi TrustNet™, a proprietary database and real-time certificate intelligence service. This research discovered that more than 1 in 5 certificates for unique IP addresses are still using SHA-1 as the signature hash algorithm.


Additional Resources

Blog Post: SHA-1 Collides with Reality: And It's DOA.

Executive Brief: How Mature Is Your SHA-1 Migration?

SHA-1 Migration Guide: How to Migrate to SHA-2 Now

About Venafi

Venafi is the market-leading cybersecurity company that secures and protects the cryptographic keys and digital certificates every business and government depends on for secure communications, commerce, computing, and mobility. Venafi provides the Immune System for the Internet® and constantly assesses which keys and certificates are trusted, protecting those that should be trusted, and fixing or blocking those that are not. By protecting the foundation of all cybersecurity-keys and certificates-Venafi prevents them from being misused by cyber criminals. The Venafi Trust Protection Platform delivers an ever-evolving, intelligent response that protects your network, business, and brand.

Venafi customers are among the world's most demanding, security-conscious Global 2000 organizations, including four of the top five U.S. banks, eight of the top 10 U.S. health insurance companies and four of the top seven U.S. retailers. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Intel (News - Alert) Capital, Origin Partners, Pelion Venture Partners, QuestMark Partners and Silver Lake Partners. For more information, visit www.venafi.com.


[ Back To TMCnet.com's Homepage ]