Why you should disable SHA1 and how to secure web hosting servers
SHA1 (Secure Hash Algorithm 1) is a popular cryptographic method used to secure eCommerce websites, backups, software updates, document signatures and more.
As an Outsourced Tech Support company, we help web hosting providers secure their servers and websites against such vulnerabilities. SHA1 was deprecated in 2015 (dubbed SHA1 sunset), and we replaced it with SHA-256 in all our customer servers by Dec 2016.
In the light of the new Google disclosure, we’re noting down a few common server hardening steps we performed on our customer servers.
1. Find and disable SHA1 certificates
Many of our customers (web hosts) provide SSL to their clients (web site owners). Since 2015, we’ve recommended issuing only SHA-256 certificates when SSLs were renewed.
However, there were websites that obtained certificates from other providers who didn’t insist on SHA-256. We knew these sites would be penalized by Google, and was potentially a hacker magnet.
To find vulnerable websites, we scanned all SSL enabled domains in each server with our proprietary Signature Algorithm check routine, like here:
Once we built a list of weak SSLs, we recommended our customers (web hosts) to contact affected web masters, and offer them SHA-2 certificates. Our tech support team opened pro-active tickets to these webmasters and followed up until a secure SSL was installed.
[ Take care of your customers, before your competitors do. Get world-class support specialists to delight your customers. ]
2. Fix weak self-signed certs in mail, FTP & admin panels
Secure connections in SMTP, POP, IMAP, FTP and server administration panels (such as cPanel/WHM, Plesk, etc.) use self-signed certificates by default.
Unlike website certificates, these certificates do not show a prominent error in Mail or FTP clients, and could be ignored for a long time. Our tech support team found quite a few self-signed weak certs in self-managed VPS, dedicated and shared web hosting servers.
To prevent future occurrences of such SSL issues, we beefed up our 24/7 server monitoring with SSLLabs-SSLScan for in-depth scans.