Starting in November 2014, SHA-1 will be gradually sunset by Google. Thus, we strongly suggest that anyone using SSL certificates signed with SHA-1 reissue certificate as soon as possible. This is a very similar situation as the SSLv3 security changes hosting companies and website owners have recently dealt with due to the POODLE vulnerability.
If you are not sure whether your SSL certificate is signed by SHA-1 or SHA-2, use this tool to check for SHA-1 keys. If they exist make plans to have your SSL certificate reissued as soon as possible. To do so contact the company where you purchased the SSL certificate for your website.
Background Knowledge & Information
A signature algorithm is an critical part of SSL security and is one of the basic things that makes SSL certificates secure for different browsers, applications and software. SHA1 will become extinct, soon. While this development is not really new, it’s likely to be the first most merchants have heard of. The early signs of weaknesses in the SHA1 algorithm surfaced nearly ten years ago. In 2012, some studies showed how breaking SHA1 is becoming feasible for those who can afford it.
Timeline
- Microsoft announced that they wouldn’t be accepting SHA1 certificates after 2016.
- Google announces that it will begin penalizing websites with certificates which expire during 2016 and after and have SHA-1. Chrome will start the process of sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November 2014. HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome’s user interface.
Though SHA-1 is still considered to be secure to use for right now, the Internet community and some major web companies like Microsoft and Google already think the world should move forward with the superior security provided by the SHA-2 algorithm in SSL certificates, to avoid any content spoofs or man-in-the-middle attacks. Also, as we already know it will not work correctly in Chrome 39 (Beta released already on 26 September 2014, and tentative production release scheduled this month (November 2014)).
Today most commonly used browsers, servers, mail clients and mobile devices already support SHA-256, however older operating systems such as Windows XP prior to Service Pack 3 (SP3) and some mobile devices may not support SHA-256.
Clients whom we have issued your SSL should check their SSL with the tool provided, then IF issues such as:
Renewing this certificate and continuing to have a SHA1 signature will likely cause this certificate to be affected.
Are detected, please contact support via the PRO-Webs Helpdesk to make arrangements to have your SSL certificate reissued and reinstalled.
