At this point, you might be a little tired of hearing about SHA-1 – we’ve been talking about its deprecation since 2014! Fortunately for both you and I, this will likely be the last time I have to talk about this old, outdated algorithm, since browsers are taking a final stance against it.
Don’t know what I’m talking about? It’s time to come out from the rock you’ve been hiding under for the past two years – you should be using SHA-256 in your SSL/TLS Certificates and if you’re still using SHA-1 on your public websites come early 2017, you’re going to have a bad time. After multiple stages of warnings and decreased support, all three of the major browser vendors – Google, Mozilla, and Microsoft – have announced plans to stop supporting SHA-1 entirely. In this case “stop supporting” = scary warning messages or completely blocking access to your site.
Browser Plans for Ending SHA-1 Support
Last week Google announced their final removal of support for SHA-1. Starting with Chrome 56, which is slated for release at the end of January 2017, ALL SHA-1 SSL/TLS Certificates issued under publicly trusted roots will no longer be trusted.
Example error visitors would see when visiting a SHA-1 site in Chrome. (Source: Google)
In October, Mozilla announced that Firefox will show an “Untrusted Connection” error when you try to navigate to a site using SHA-1. This policy will first be included in Firefox 51, which will be released at the end of January 2017.
Example error visitors would see when visiting a SHA-1 site in Firefox. (Source: Mozilla)
Microsoft Edge and Internet Explorer
According to an announcement from earlier this month, starting on February 14, 2017 (Happy Valentine’s Day?) Microsoft Edge and Internet Explorer 11 will display an “invalid certificate warning” for sites using SHA-1 and prevent them from loading.
Example error visitors would see when visiting a SHA-1 site in Edge or IE11. (Source: Microsoft)
Are you sensing a theme here? Make sure your sites aren’t using SHA-1!
How to Find SHA-1 Certificates
If you’re not sure if your certificates are SHA-1, or if you’re worried you might have some stragglers lurking out there somewhere, here are some tips for tracking them down.
For GlobalSign Customers – Log in and Run a Report
If you’re one of our customers, the easiest way for you to find any pesky SHA-1 certificates, is to run a report from your account. Just go to ‘Search Order History’ after you’ve logged in to pull up a list of all your certificates, which can easily be sorted by signature algorithm so you can immediately find any using SHA-1. This list can easily be exported to a .csv file if you need it too.
Example SHA-1 report results in GlobalSign customer portal.
Use Our Certificate Inventory Tool
GlobalSign's Certificate Inventory Tool (CIT) is free and available for any company to use. It can be run via an easy to use online portal for public facing certificates or as a local agent to inventory certificates across your entire network (internal and public), regardless of the issuing CA. With a pre-built SHA-1 certificate report readily available, you can start locating SHA-1 certificates within minutes of using the tool.
This is a great option if you have certificates from multiple CAs or if you’re worried you might have some rogue certificates out there.
Look at the Certificate Details
If you only manage a few domains, it might actually be easiest to just visit them and take a look at the certificate itself. The way to do this varies slightly by browser, but generally, if you click on the padlock within the URL, you’ll get the option to view more certificate details and can click to view the certificate itself. There you’ll find the signature algorithm.
Example certificate details from Google Chrome.
Replacing SHA-1 Certificates
If you find any SHA-1 certificates on publicly accessible websites, you should re-issue them ASAP using the SHA-256 algorithm. At GlobalSign we allow unlimited re-issues, but if you use another CA, you’ll have to check on their policy.
I’m serious when I say to do this ASAP! Don’t think, “oh, I have until the end of January. I’m good.” Do you really want to be dealing when you’re back in the office after the winter holidays? I don’t think so.
If you have questions about migrating from SHA-1 to SHA-256, please don’t hesitate to contact our support team.
Can't Live without SHA-1? We Have a Solution
At this point, SHA-256 is widely supported by most browsers, servers, and applications, but you may have some non-compatible legacy applications that you can’t migrate away from just yet. Just last week, a customer needed a certificate for signing SOAP requests that needed to be SHA-1 because of a legacy integration requirement.
While we no longer issue SHA-1 SSL/TLS Certificates from our public roots, we have a separate line of products issued from non-public CAs, called IntranetSSL. That solution is ideal for these legacy SHA-1 needs, or a number of other use cases that aren’t allowed in publicly trusted certificates, because you can get the configuration you need without having to run your own CA or rely on self-signed certificates. You just need to push the IntranetSSL SHA-1 root to all browsers, or system applications, that need to connect with SHA-1 servers and you’re all set.
In the announcements I linked to above, all three of the major browsers mentioned continued support for SHA-1 certificates that chain to a locally or manually installed root certificate (e.g. the IntranetSSL root). How long this will be supported is unclear; however, Google says this will end with the first Chrome release after Jan 1 2019, but also goes on to say it may stop before then if there is a 'serious cryptographic break' of SHA-1. Mozilla and Microsoft don’t mention dates for ending support, but recommend everyone migrates away from SHA-1 as quickly as possible.
You have some time to keep using SHA-1 certificates for internal use cases and we have a solution that makes it easy for you to do that, but at some point you’re going to need to make the switch to SHA-256. You might want to start thinking now about how you’ll migrate these older systems, so you don’t get caught in a lurch if the browsers cut support suddenly.
Have questions about migrating to SHA-256 or how to support your legacy SHA-1 needs? Contact us; we’re happy to help.