Since its founding, Symantec has been dedicated to security. That is our raison d’etre. As such, we continually collaborate across the industry to update standards, making them more secure and harder to hack or fake. That is why the CA/Browser Forum determined that Certification Authorities must not issue public SHA-1 TLS certificates after December 31, 2015. While this directive is an important step in making the Internet safer and more secure, the transition process also needs to support companies with legacy systems and devices so they are not left behind or saddled with insurmountable IT costs.
We liken this to when the US government determined that the use of lead paint was unsafe and should stop being used. That directive was absolutely the right thing to do moving forward, but to require that every house and building in the US remove all lead paint by a certain deadline would have created financial and logistical impossibilities for consumers and businesses. While it is correct to strive for the perfect ideal, the real-world implications are often a bit messy.
In the same vein, the shift to the SHA-256 standard severely impacts legacy systems and applications. We heard from some of our customers that they could not switch out every certificate in every application and device, not only because of the time and cost involved, but also because many of the systems and some older browsers simply don’t support SHA-256. While we fully support and encourage the transition to SHA-256 from a security purist standpoint, we also believe it is unreasonable to force our customers to absorb significant business and financial hardships that could severely impact their viability and operations, as well as that of their end users.
Therefore, we were left with a choice: either force customers to completely cease support of all those legacy systems, applications, devices and browsers that cannot support SHA-256, or try and identify ways to help ease the transition for customers to SHA-256 while minimizing the risk of continued SHA-1 support for those customers who still need it.
In an effort to help these customers, Symantec, along with other CAs and Microsoft, proposed a CA/Browser Forum ballot to allow continued issuance of SHA-1 TLS certificates into 2016, as long as those certificates expired by the end of 2016 – providing additional transition time for those who needed it. During the ballot debate, researchers unveiled new attacks against SHA-1, revealing the algorithm to be weaker than originally thought. As a result, the ballot was withdrawn.
Throughout 2015, Symantec and other CAs issued fewer and fewer SHA-1 TLS certificates as we transitioned to certificates signed with the newer, stronger SHA-256 hash algorithm. That was as expected, since the industry has been working for several years to manage this algorithm transition.
We’re now beyond December 31, 2015 - the SHA-1 issuance deadline set by the CA/Browser Forum Baseline Requirements. And as we look back over the last three months of 2015, it’s clear that customers had planned around this deadline as we experienced a last-minute surge in customer orders for SHA-1 certificates in December:
October | November | December |
7,076 | 6,096 | 19,278 |
Many customers clearly chose to enroll for and to obtain SHA-1 certificates as close as possible to the end-of-2015 issuance deadline, something even recommended by one of the browser members of the CA/Browser Forum.
But we have customers for whom even all of 2016 is not enough time to transition. For these customers, we have identified another way to help – to use our legacy public roots for specific use cases (such as with legacy feature phones) while instructing browsers, and all other clients that can, to stop trusting these roots for general applications. Given the nature of the attacks on SHA-1 and other hashing algorithms, the best defense is really in the hands of the browsers and other clients to remove support for SHA-1 altogether.
With that goal in mind, we reached out to browser vendors in November 2015 to formally advise them to remove or “un-trust” our legacy PCA3-G1 root if they had not already done so (some had removed the root earlier in 2015). With browsers discontinuing support for SHA-1 and our PCA3-G1 root specifically, the general risk of a SHA-1 attack is substantially reduced. This multi-prong approach strikes the hard-sought balance between our intent for stronger security and our intent for a practical transition for all involved. Even this approach is proving more difficult than expected, as it created issues for some clients, such as those with older Android devices and for some code-signing customers on Windows. Given additional transition time potentially needed by these clients, we will continue to include our legacy PCA3-G1 root in our annual WebTrust for CAs Audit so anyone still supporting these roots can be confident that certificates issued from these roots are issued in line with our public Certificate Policy and Certificate Practices Statement.
While moving to a private CA root can help those customers with incompatible systems, Symantec has repeatedly directed all of our customers who can to make the transition to SHA-256 as quickly as possible. The guide we issued on moving from SHA-1 to SHA-256 certificates can be found in our Knowledge Base.
Symantec fully supports the deprecation of SHA-1, but we are also acutely aware of the difficulty this transition poses for many enterprise customers and technology providers across the ecosystem. We have put in place measures that we hope balances the very real business needs of our customers with the goal of creating a more secure web environment. As a founding member of the CA/Browser Forum, we wanted to be open and transparent about how we have tackled this transition and why we made the decisions we did to both advance adoption of the latest security standards while finding practical ways to support our customers who are struggling with very tangible issues.