SSL Certificates

Transitioning from SHA1 to SHA2

Due to the discovery of vulnerabilities in the SHA1 algorithm, the new SHA2 algorithm will be introduced at an accelerated pace. Until recently, SSL certificates and digital signatures were created using the SHA1 hashing algorithm. Internet browsers and Certificate Authorities (CAs) have now started to phase out SHA1 in favour of the new SHA2 algorithm. This will mean that SHA1 certificates with an expiry date of 2016 or later will soon create issues. This article offers you more information on how this will impact your certificates, and on what notice.

When an SSL certificate is created, it must be digitally signed in order to be valid. For this signature, several algorithms are available, such as the SHA1 and SHA2 algorithms. Because of the discovery of vulnerabilities in the SHA1 algorithm, the National Institute of Standards and Technology (NIST) advises to use SHA2 hashing for the creation of digital certificates. SHA2 does not contain the vulnerabilities that were found in its predecessor, making it a lot safer.

Replace your SHA1 with a SHA2 certificate
Need assistance? Call us at +31 (0)20 – 7881030.

Background

Over the past few years, it was discovered that SHA1 contains vulnerabilities that make the algorithm more susceptible to conflicts and increase the chance that, during an attack, two different values create the same output. A more powerful hash-function (like SHA2) offers much more security against such conflicts, and greatly reduces the chances that two different values create the same output.

To ensure that the data cannot be tampered with when a connection is made, SSL certificates make use of hashing (encryption). Cracking the SHA1 algorithm would mean that the contents of a signed message or certificate could be altered while the hash for the message or certificate remains intact. Vulnerabilities such as the ones found in SHA1 have not been found in SHA2.

Internet Browsers

Various internet browsers have indicated that they will start to give out warnings on SHA1 certificates in the short term, but the actual time frame and type of warning varies for each browser. So far, the following dates have been given:

  • Microsoft ceases support for SHA1 codesigning certificates in Internet Explorer as of 2016. Support for all SHA1 certificates will cease as of 2017. These dates could possibly be adjusted in July 2015.
  • Google has been giving warnings in Chrome version 39 for SHA1 certificates that expire after January 1st, 2017. With each new version, these warnings will intensify.
  • In the next few months, Mozilla will also start rejecting SHA1 certificates that expire after 2016.


Google will soon (starting with Chrome 41) start to indicate the use of SHA1 certificates valid until after January 1st, 2017 according to the image.
It is therefore important to transition to SHA2 as soon as possible.

Ordering

- All new certificates will be created with the SHA2 hash.
- You can reissue your SHA1 certificates as SHA2 certificates for free.
- Are you unsure which algorithm your certificate uses? Use our  SSLCheck.


Most systems already support SHA2, except older systems like Windows XP. Please make sure that your system has been updated for the transition to SHA2.

SHA2 support

Most clients and servers already support SHA2. Exceptions to the norm are older operating systems such as Windows XP without Service Pack 3. New SHA2 root certificates are available for the installation. Below you will find an overview of the clients, servers and mobile devices that support SHA2.

Clients
Adobe Acrobat/Reader 7+
Apple Safari 5+
Google Chrome 26+
Internet Explorer 7+
Java 1.4.2+ based products
Konqueror 3.5.6+
Mac OS X 10.5+
Microsoft Windows XP SP3, Vista, 7, 8 and 10
Mozilla based browsers 3.8+
Mozilla Firefox 1.5+
.NET Framework 1.1+
OpenSSL 0.9.8+Opera 9.0+

Servers
Apache Server
Mac OS X Server 10.5+
Microsoft Windows Server 2003 SP2+ (after installing KB 938397 and KB 968730)
Microsoft Windows Server 2008+
Microsoft Exchange 2010 SP3 and newer
Microsoft Lync 2010 and 2013
Oracle WebLogic 10.3.1+

Mobile devices
Apple iOS 3.0+
Android 2.3+
Blackberry 5.0+
Windows Phone 7+
 

More information (external links)

Policy Mozilla
Policy Google
Policy Microsoft

For more information, send us an email at sales@networking4all.com or call us at +31 (0)20 – 7881030.

Thursday 9 October 2014
Follow Networking4all on Twitter
Twitter Hyves Facebook Google Buzz MySpace LinkedIn Bookmark and Share