Upgrading From SHA-1 to SHA-2
Most of our clients have received an email lately with information from their payment gateway provider regarding a security upgrade. This security certificate upgrade from SHA-1 to SHA-2 is long overdue because of the increasing threats the e-commerce business is exposed to.
[bctt tweet=”SHA-1 lasted for 16 years!”]
But what does this upgrade mean for you?
Well, most of the notification emails I read were – because of their technical lingo – more than confusing. That is why I would like to clear some things up, trying to simplify and abstract the science of ‘Algorithm’.
What is SSL and/or Security Certificate?
SSL (Secure Sockets Layer) and Security Certificates (which certifies with a code that your website is safe) provide security for your website by encrypting communications between the server and the person visiting the website – which means that hackers cannot see what your browser sends to and receives from a web server. It is required to be used on e-commerce sites when accepting credit card payments online.
When do you need an SSL and/or Security Certificate?
If you are using PayPal Standard along with a ‘Buy Now’ button, Google Checkout or similar payment accepting services your customers and clients are safe because a payee’s sensitive data is not stored or processed through you shopping cart. The ‘Buy Now’ button is directly linked to the i.e. PayPal website and they take it from there.
But if you are using a payment solution like 2checkout, Authorize.net etc., a checkout form is integrated into your shopping cart – meaning you DO collect sensitive information and submit it to your payment provider – you need SSL.
How do you know your website is secure?
Simple. Look at the address bar in your browser when you are on the checkout page. If the address starts with ‘https’ your system has a SSL. If it just shows ‘http’ or nothing at all it’s not secure. Also, many visitors click on that little icon left or right of the address to check if the site they are visiting is save or not. If not many people rather leave your site than taking chances.
You site has SSL already. Does it need to be upgraded?
It depends on when your certificate was issued. If it was implemented before April 2015 it might need an upgrade although some certificates comply with the new SHA-2 standard already since February 2014.
Also, if you have a shared hosting account you have subsequently a shared IP address as well. A vital part of the SHA-2 upgrade is that it no longer works with a shared IP address. So you will need a dedicated IP address as well.
Are there exceptions and what are they?
So far I know of one exception involving WooCommerce and the PayPal Express Checkout. Although sensitive information are being collected within the shopping cart, that information is securely transmitted to PayPal if the original WooCommerce PayPal plugin is used.
How much does a SSL and dedicated IP address cost?
For a small business such certificates run typically between $50-$100 per year, plus approx. $2 per month for a dedicated IP address.
What I would recommend.
If you are in doubt just ask your webmaster. He should be able to test your website’s security status through a sandbox account. Or submit your questions through the comment box below.
Joerg Buyna, Amazingly Virtual