A news bulletin for the LastPass community:
In our ongoing effort to provide the best security for LastPass users, our SSL certificate for LastPass.com will be transitioned tonight from an SHA-1 certificate to an SHA-256 certificate. Ours will continue to be a Thawte Extended Validation Certificate (EV).
Why now? We started this process last year, but due to the ongoing use of older versions of XP our efforts stalled. Now that Google and others are proactively pushing SHA-256, we’re confident that we can transition with minimal impact on our community.
All changes will happen behind-the-scenes, so LastPass users shouldn’t encounter any problems or interruptions to the service. Reports or concerns? Please let us know in the comments below or get in touch with our support team.
Wondering what the fuss is about?
You know to look for the “lock” icon and HTTPS at the beginning of a website’s URL. Those details indicate that you’re on a secure connection to a website. That secure connection is created with an SSL certificate (lending the “S” to HTTPS). The SSL certificate, issued by a Certificate Authority (CA), encrypts your connection and verifies you’ve connected to the real website.
The CA condenses the certificate by running it through a one-way hashing algorithm, then cryptographically “signs” that condensed version of the certificate. Most websites that use SSL use the algorithm SHA to create that hash, with SHA-1 being the most widely used. The one-way hashes are unique to every website certificate. When your browser is evaluating a website’s certificate, it calculates the SHA-1 hash itself, then compares it to the signed hash that the website offers as verification. If they match, the browser gives a green light and you know your information is safe.
The problem is that SHA-1 is not as strong as it once was. Now that computers are faster and cheaper, the risk is increasing that attackers could forge a certificate and trick the browser into thinking that it’s connecting to the right website.
Vendors are now transitioning to the stronger next-generation algorithm SHA-2 to increase security and protect against attacks. SHA-2 creates longer hashes and is currently resistant to the attacks that SHA-1 is vulnerable to. If you use Chrome, you may have started seeing certificate warnings with yellow lock icons, which is part of Google’s effort to sunset SHA-1 certificates and move the web forward with SHA-2.
At the end of the day, the transition doesn’t impact your experience as a LastPass user, but furthers our mission to keep your data safe as the web evolves. It’s the same LastPass, with even better security.
Thanks for tuning in,
The LastPass Team