Website Security is Important to Your Business
In August of 2014, Google made a public announcement about website security – one they hailed as “HTTPS everywhere”. If you don’t speak tech, essentially Google was calling for you to run your website with a security layer called encryption – as a standard as opposed to an afterthought. The dangled carrot for the effort of doing so was that Google said they would start ranking pages higher in search results if used HTTPS by default, and met certain encryption standards.
Website Trust Article in Google Blog
That was 2014. In 2017, the discussion isn’t whether or not your website should use encryption (hint, it should), but whether or not that encryption is strong enough. In late February, Google announced the first practical application of a way to break the SHA1 encryption algorithm. Why does this matter? Well, as it turns out, better than 1 in 5 websites that use HTTPS use this now cracked algorithm. Google has just put everyone on notice with this new crack, stating that they won’t release the information showing exactly how to carry out this attack for 90 days. How generous of them! If the history of CPU computing power is any measure as to how fast this will be a problem, the answer is soon. Very soon. The image below illustrates how far computing power has really come.
There was a time when MD5 was considered a secure algorithm for website security. The average smartphone has enough power to crack that in about 30 seconds.
So what is the moral of this story? First, If your website isn’t using HTTPS by default – it should be. Second, if your site uses SHA-1, it’s about to be considered untrustworthy. Google, Microsoft, and Mozilla (the maker of Firefox) all set deadlines for early 2017 to no longer trust websites based on this outdated algorithm. You wouldn’t want your customers to get a notification that your website isn’t secure when they visit it, now would you?
Written by:
Patrick Massey
Partner of Network Medics
Minnesota Business IT Consultant