January 17, 2017

Security Recommendations and Changes for 2017

Starting in 2017 there are some important security changes everyone needs to be aware of. In this blog post, we’ll break down some of the more pressing and common items related to web security.

Browsers

Secure Hashing Algorithm version 1, or SHA-1, is a function used to security the initial transaction between a client computer and a website. In this transaction, the secure SSL/TLS certificate is transferred. It is designed to ensure integrity in the transmission.

SHA1 certificates will present a warning to the customer/client in their browser if the website they are accessing is still using a SHA1 issued certificate. In Google Chrome, this is already happening but will be more visible in the coming months and in 2017. In other browsers, it will also start to become more prevalent of a warning.

If your website is using an SHA1 certificate, it is time to upgrade the certificate. If the certificate applied to your website is not expired or expiring, please contact your certificate issuer to get it reissued as SHA2. A quick way to check your website is here: sha1affected.com

Private Keys – If you’re using a private key that is 1024-bits, or 128-bits they are also insecure and should be upgraded. 1024-bit keys can be upgraded to 2048-bits or 4096-bits or higher. 128-bit keys can be upgraded to 192-bit or 256-bit keys. These upgrades will require a new CSR, Key, and re-issuing of the certificate. Edge Hosting can help you with this if needed, simply put in a ticketed request.

While on the topic of SSLs, check out Qualys’s blog on the changes they are making to their SSLLabs scanner in 2017 in order to further secure your SSL site.

But what if I don’t have an SSL?

The short answer? Get one. Google is already prioritizing search results ensuring those with SSL’s are higher on the results order. Even if your site doesn’t process credit cards, you should still secure forms on your site so that data cannot be intercepted during transmission. In 2017, if your site doesn’t have an SSL, visitors will no longer receive a neutral warning for your site in Chrome. Instead, Chrome will label your site as “Not Secure.”

Ciphers

TLSv1 will continue to be phased out over the coming year. By June 2018, PCI Compliant customers must have TLSv1 and SSLv3 disabled in favor of using TLSv1.1, TLSv1.2 or TLSv1.3 (still in draft). More information on the sun-setting of TLSv1 can be found here.

SSLv2, SSLv3, 3DES, and RC4 are vulnerable to compromise. If your website is running any of these cipher suites, they will need to be disabled. If you’re unsure of how to disable these protocols, please contact us through the ticketing system and we will be glad to help.

Go back