Between April and October 2014, three malware threats have targeted secure web sites. Heartbleed, ShellShock and POODLE are threats that focus on web sites beginning with https://, the kind of sites that require logins (account name and password) to protect data entered or stored in these sites. POODLE might pose less risk than Heartbleed or Shellshock, but news reports on all three have increased consumer awareness about the risks to sites they may have intuitively trusted in the past.
POODLE also prompted the major web browser providers to escalate their plans to block https:// sites that do not use appropriate security. Beginning in January 2015, warning messages will appear in Chrome, Firefox, and IE if the https:// destination is not using a SHA-2 (pronounced “shaw-too”) web security certificate. By 2016, most web browsers will block these sites.
A web site address (URL) that begins with https:// once indicated it was a secure login site. In other words, a customer or member could login and provide sensitive information like credit card numbers without worrying whether or not their information would be stolen from the site. But https:// is no longer a guarantee of security for logins or the data entered after a successful login. The security of the login and related data all depends on the type of security certificate in use by the web site’s host server.
Previously, security certificates could be trusted without question — similar to the trust implied by a notary’s stamp and signature. The National Notary Association defines a notary as a “trusted, impartial witnesses to document signings.” The signature that indicates a web site can be trusted is an algorithm on a web security certificate. However, the integrity of the 20 year-old SHA-1 algorithm has been jeopardized as sophisticated cyber criminals learned how to defeat the certificate’s signature and access the databases of information stored in these secure web sites.
Replacing SHA-1 certificates with SHA-256, also called SHA-2, reduces the risk of data theft or loss on secure web sites, but not all web site owners or administrators are aware of the types of certificates in use on the servers that host their web sites. At Rice University, the web sites hosted on IT servers, including sites supported by Web Services, have all been upgraded to the new SHA-2 certificates.
“Rice web site administrators and content managers with secure sites NOT hosted by IT should confirm with their host agency that the new SHA-2 certificates are in use,” said Andrea Martin, IT Director for Enterprise Applications. “The SHA-2 certificates are important for web sites that use a secure login; their URLs begin https:// – the ‘s’ is the indicator that a certificate is involved.”
Barry Ribbeck is more interested in increasing awareness for Rice faculty, staff and students who login on web sites that are not using the new SHA-2 certificate. “Most of the major web sites have already converted to the new SHA-2 certificate. Amazon, Google, Facebook, LinkedIn. There is an easy way to check, though. Just copy and paste the login URL [for the web site you are about to enter] into one of the SHA certificate checkers and see for yourself if they are secure.”
Link certificate checkers include.
- https://sslanalyzer.comodoca.com
- https://www.tenable.com/pvs-plugins/8548
- https://github.com/jeffmurphy/poodle-prober
Please email questions about Rice web sites and SHA-1 or SHA-2 to the IT Help Desk: mailto:helpdesk@rice.edu.