Reading Time: 3 minutes
In light of recent research which contends that the SHA-1 hashing algorithm could be more vulnerable to attack than was previously thought, both Microsoft and Mozilla have begun discussions to bring forward the date when their browsers will reject SHA-1 based SSL/TLS certificates.
Although not yet confirmed, Mozilla is considering rejecting SHA-1 certificates after July 1st 2016, while Microsoft may start to reject them after the slightly earlier date of June 2016. If these plans become policy, then Firefox and Internet Explorer/Edge will show error messages whenever they encounter a SHA-1 certificate after the new dates. The previous deadline was January 1st 2017 as explained in our advisories here and here.
We anticipate Google may announce a similar timeline for their Chrome Browser soon. Because of this, we strongly recommend customers replace any SHA-1 SSL/TLS certificates on their websites, free of charge, with a SHA-2 version no later than May 31st 2016.
The following table summarizes the proposed new dates when the major browsers will cease to trust SHA-1 signed SSL/TLS certificates:
SSL/TLS Certificates | ||||||||||||
|
Mozilla blog: https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/
Microsoft blog: https://blogs.windows.com/msedgedev/2015/11/04/sha-1-deprecation-update/
Readers should consider all dates as subject to change pending further review from Microsoft, Google and Mozilla.
How do I know if I am affected?
Enter your domain in our certificate checker at https://sslanalyzer.comodoca.com/ . The ‘signature’ row will tell you if you have a SHA-1 certificate. If so, please get a free SHA-2 replacement from Comodo before May 31st 2016. If your certificate expires before May 31st then you are free to let it expire as normal, but we advise you get a SHA-2 replacement at the earliest opportunity anyway to ensure the highest levels of protection for your visitors.
How do I get a SHA-2 certificate?
Comodo offers a free certificate replacement program to all customers. To replace your SHA-1 certificate, log into your Comodo account, locate your certificate order and use the ‘Replace Certificate’ facility. Please make sure to supply a SHA-2 CSR (or select the ‘SHA-2’ option under ‘Hash Algorithm’ on the certificate order form). We will also reach out to Comodo customers and partners with SHA-1 certificates that expire after May 31st 2016 to help them obtain a replacement. More guidance can be found in this support article.
Does anything still need SHA-1?
There is a full list of operating systems, browsers and servers which support SHA-2 on the CA Security Council website here. If you have a particular piece of software that you have concerns over, we suggest contacting the software vendor to see if they have, or are planning to offer, SHA-2 support.
Comodo has a test site that uses a SHA-2 certificate. You can test software and devices against this URL to attempt to determine SHA-2 compatibility: https://sha256rsa.comodoca.com
Comodo will continue to monitor the situation and work with our customers to ensure the SHA-2 upgrade goes as smoothly as possible. If you have questions about the transition, please contact your Comodo account manager or Comodo support directly on support@comodo.com
Does this affect Code-Signing certificates?
There have also been minor adjustments to Microsoft’s policy on SHA-1 code signing certificates:
Code Signing Certificates | |||||
|
Please note that although CAs MAY issue SHA-1 code-signing certificates after Jan 1st 2016, code signed (and timestamped) with a SHA-1 signature or using a SHA-1 certificate WILL NOT WORK for standard Authenticode signing for code to run on Windows 7 and upwards.
Microsoft enforcement: http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#H1_B
References and further reading
https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/
https://blogs.windows.com/msedgedev/2015/11/04/sha-1-deprecation-update/
http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#H1_B
https://sites.google.com/site/itstheshappening/
https://www.comodo.com/e-commerce/SHA-2-transition-next-steps.php
https://www.comodo.com/e-commerce/SHA-2-transition.php
https://casecurity.org/2014/01/30/why-we-need-to-move-to-sha-2/
https://casecurity.org/2013/12/16/sha-1-deprecation-on-to-sha-2/
START FREE TRIAL GET YOUR INSTANT SECURITY SCORECARD FOR FREE
- SEO Powered Content & PR Distribution. Get Amplified Today.
- EVM Finance. Unified Interface for Decentralized Finance. Access Here.
- Quantum Media Group. IR/PR Amplified. Access Here.
- PlatoAiStream. Web3 Data Intelligence. Knowledge Amplified. Access Here.
- Source: https://blog.comodo.com/e-commerce/sha-1-deprecation/
- :has
- :is
- :not
- 1
- 1st
- 2008
- 2016
- 2017
- 30
- 31st
- 40
- 7
- a
- About
- Account
- adjustments
- advise
- affect
- After
- against
- algorithm
- All
- also
- Although
- am
- and
- Announce
- announced
- anticipate
- any
- anything
- ARE
- AS
- At
- attack
- based
- BE
- because
- become
- been
- before
- begun
- Blog
- both
- bring
- browser
- browsers
- but
- CA
- CAN
- Center
- certificate
- certificates
- change
- charge
- Chrome
- chrome browser
- click
- code
- COM
- compatibility
- Concerns
- CONFIRMED
- Consider
- considering
- contact
- continue
- could
- Council
- Customers
- Date
- Dates
- description
- Determine
- developers
- Devices
- directly
- discussions
- do
- domain
- Earlier
- encounter
- enforcement
- ensure
- error
- Event
- explained
- Facility
- Firefox
- following
- For
- Forward
- found
- Free
- from
- full
- further
- get
- Goes
- guidance
- hashing
- Have
- help
- highest
- http
- HTTPS
- i
- if
- in
- instant
- Internet
- into
- issue
- IT
- Jan
- January
- jpg
- July
- june
- Know
- later
- left
- levels
- light
- List
- log
- longer
- major
- make
- manager
- max-width
- May..
- messages
- Microsoft
- Middle
- minor
- minor adjustments
- Monitor
- more
- Mozilla
- Need
- New
- no
- normal
- obtain
- of
- offer
- Offers
- on
- only
- operating
- operating systems
- Opportunity
- Option
- or
- order
- our
- out
- over
- particular
- partners
- pending
- PHP
- piece
- planning
- plans
- plato
- Plato Data Intelligence
- PlatoData
- please
- policy
- possible
- previous
- previously
- Program
- propose
- proposed
- protection
- Questions
- reach
- recommend
- replace
- replacement
- review
- ROW
- Run
- scorecard
- security
- see
- send
- should
- show
- signed
- signing
- similar
- site
- situation
- smoothly
- So
- Software
- Soon
- SSL
- SSL Certificate
- standard
- start
- Still
- strongly
- subject
- suggest
- supply
- support
- Systems
- table
- targeting
- tell
- test
- than
- that
- The
- their
- Them
- then
- These
- they
- this
- thought
- time
- timeline
- to
- top
- transition
- Trust
- under
- upgrade
- upwards
- URL
- use
- uses
- using
- version
- visitors
- Vulnerable
- was
- we
- Website
- websites
- when
- whenever
- which
- while
- will
- windows
- with
- Work
- yet
- you
- Your
- zephyrnet