SSL Transition: SHA-1 to SHA-2

Hilbert Map of Hashing Algorithms

Hilbert Map of Hashing Algorithms, by Ian Boyd

Most, if not all SSL Certificates today are running the SHA-1 cryptographic hash algorithm, which is getting weaker and easier to be attacked. 

Google and Microsoft announced SHA-1 deprecation plans that may affect websites with SHA-1 SSL Certificates expiring as early as the end of the year. 

Google

Google is gradually sunsetting SHA-1 with their Chrome browser by changing it's HTTPS security indicator step by step. 

When Chrome 39 is being released around November 2014, any SHA-1 SSL Certificates that expire on or after 1 January 2017 will be treated as “secure, but with minor errors” as shown in Pic 1 below.



Pic 1: Secure, but with minor errors

When Chrome 40 is being released around January 2015, any SHA-1 SSL Certificates that expire between 1 June 2016 to 31 December 2016 will be treated as “secure, but with minor errors” (as shown in Pic 1 above).

SHA-1 SSL Certificates that expire on or after 1 January 2017 will be treated as “neutral, lacking security” as shown in Pic 2 below.



Pic 2: Neutral, lacking security

When Chrome 41 is being released in Q1 2015, any SHA-1 SSL Certificates that expire between 1 January 2016 and 31 December 2016 will be treated as “secure, but with minor errors” (as shown in Pic 1).

SHA-1 SSL Certificates that expire on or after 1 January 2017 will be treated as “affirmatively insecure” as shown in Pic 3 below.



Pic 3: Affirmatively insecure

Microsoft

Microsoft’s SHA-1 deprecation plan differs in the activation time and browser behavior. Microsoft’s security advisory on “Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program” informed us that Windows will cease accepting SHA-1 SSL certificates on January 1, 2017. To continue to work with Microsoft platforms, all SHA-1 SSL certificates issued before or after this announcement must be replaced with a SHA-2 equivalent by January 1, 2017.

Transition to SHA-2 

In order to prevent online users on Chrome version 39 and later from experiencing these indicators, SHA-1 SSL Certificates expiring after December 31, 2016 must be replaced with SHA-256 (SHA-2) SSL Certificates.

To transition to SHA-2 SSL Certificates, you will need to contact your SSL vendor to re-issue your SSL Certificates to one which is based on SHA-2. 

For clients who purchased your SSL Certificates from us, we will contact each of you individually to re-issue your SSL Certificates to SHA-2 over the next few months.

As there are a lot of clients that we will need to contact, we will prioritize those who are affected by the Chrome 39 update first so please do be patient if we have not got to you yet. 

October 6th Update: All SSL Certificates purchased from us has been re-issued to SHA-2.