A new cyber security report from Venafi has revealed that over 21% of all websites are still currently using an insecure SSL certificate. SHA-1 certificates were exposed to be vulnerable for man-in-the-middle attacks, collision attacks, and brute force attacks. Remember Heartbleed?
“The results of our most recent analysis are not surprising,” said Kevin Bocek, chief security strategist for Venafi. “Even though most organizations have worked hard to migrate away from SHA-1, they don’t have the visibility and automation necessary to complete the transition. We’ve seen this problem before when organizations had a difficult time making coordinated changes to keys and certificates in response to Heartbleed, and unfortunately I’m sure we are going to see it again.”
Venafi ran their test in February 2017, analyzing 33 million publicly visible IPv4 websites using certificate intelligence service Venafi TrustNet. Over one in five certificates for unique IP addresses were using SHA-1 at the time of the test. A rather surprising number considering how widespread the news regarding Heartbleed was.
Regardless if you are using SSL certificates across your website make sure you’re utilizing the latest SHA-2 algorithm.