The upcoming transition to SHA-2 SSL Certificates, and what it means to you
Posted by Garrett Saundry on 10/23/14 09:47 AM
Recently the big 3 browser makers (Google, Microsoft, and Mozilla) made a decision that will change how secure websites are handled going forward.
Specifically, they made the decision to no longer support the SHA-1 (Secure Hash Algorithm version 1) technology, which at the moment is standard with SSL certificates.
The reason that they gave was that the SHA-1 algorithm is now almost 20 years old (created in 1995), and while it is very widely used, there are a number of discovered bugs in the algorithm which, due to the continuing innovation of new technologies available, have become plausible (able to be performed). These bugs include exploits that can allow hackers to obtain fraudulent certificates (which would allow browsers to show fake websites as secure when they are not, which could lead to compromised personal data), as well as perform collision attacks (using highly exponential dataset values to continually crash against the certificate until it breaks and no longer encrypts personal data).
In light of this, and to protect the average user of the Internet at large, the decision has been made by the three main browsers (commonly known as IE, Chrome, and Firefox) to phase out support of the SHA-1 algorithm starting on September 26th, 2014 (with the latest release of Chrome). Ultimately the SHA-1 algorithm will be completely unsupported by the big 3 browsers as of 2017. In the meantime, however, they are preparing you for this new reality early by putting in a number of stages where existing SHA-1 certificates will experience a gradual phase out (going from indicating that the site is secure but with minor errors for any certificates with an expiry date in 2016, to either lacking security or affirmatively insecure for any certificates with an expiry date in 2017).
So how might this affect you?
If you have an SSL certificate that is SHA-1 based, then going through certificate reissuance is all that is required. All SSL Certificate providers have a free reissuance process in place, which are for the most part relatively painless to undertake.
The process for reissuance is outlined in our SSL self-help files, located here.
During the reissuance process there will be a drop-down in the Hashing Algorithm section, and you will want to choose SHA-2. If you are using IIS, you will need a new 2048-bit CSR key to do this, whereas if you are on Apache, you can use the exact same CSR key as you currently have during the reissuance process.
As for new certificates, the function to choose between the SHA-1 and SHA-2 Hashing algorithm is tentatively scheduled to be available in our interface as of the first quarter of 2015. In the meantime, the process is a bit round-about in that after receiving your initial SHA-1 certificate, you would want to immediately undergo the reissuance process outlined above.
Read more »