Questions about the SHA-1 and SHA-256 Announcements and Migration
Now that the security industry is moving from SHA-1 to SHA-2, you may have questions concerning SHA-1, SHA-2, or the move to SHA-2.
- » Is something wrong with SHA-1?
- » Are there compatibility issues with SHA-2?
- » What are the security concerns with SHA-1?
- » When are browser changes to SHA-1 certificates going into effect?
- » How is DigiCert handling the SHA-2 requirement?
- » What do I do if I have a SHA-2 certificate and run into a problem?
- » Will my users have problems if my website is secured with a SHA-2 SSL Certificate?
Many manufactures have added support for SHA-2 through updates or hotfixes. DigiCert strongly recommends that you and your users upgrade to the latest version of browsers and OS platforms to take full advantage of the newest security measures. Continuing to use old browsers or Operating Systems may mean exposing yourself to exploits.
To see a full list of software and hardware that supports SHA-2, see this page.
As technology advances eventually a hash function’s collision resistance will become weak enough that a move to a stronger hash function becomes necessary. In 2005, a research team from China discovered a collision-resistance property weakness in SHA-1. Since then, the research/cryptology communities’ attacks have improved, and they have predicted that within a few years the cost for gathering the computational power needed to pull off a successful collision attack will become practical.
As part of their SHA-2 migration plan, Microsoft, Google, and Mozilla have announced that they will stop trusting SHA-1 certificates.
Changes to SHA-1 SSL Certificates:
Microsoft, Google, and Mozilla will begin phasing out trust for SHA-1 certificates in 2016. With these dates approaching, it's time to move to SHA-2.
November 2014 –SHA-1 SSL Certificates expiring any time in 2017 will show a warning in Chrome.
December 2014 –SHA-1 SSL Certificates expiring after June 1, 2016, will show a warning in Chrome.
January 2015 –SHA-1 SSL Certificates expiring any time in 2016 will show a warning in Chrome.
December 2015 –SHA-1 SSL Certificates issued after January 1, 2016, will show the "untrusted connection" error in Firefox.
January 2016 –SHA-1 SSL Certificates issued after January 1, 2016, will show a certificate error in Chrome.
Certificate criteria: signed with a SHA-1-base signature, issued after January 1, 2016, and chained to a public CA.
January 1, 2017 –Microsoft, Google, and Mozilla will end trust for all SHA-1 SSL Certificates.
Mozilla and Google say it is feasible to move this date up to July 1, 2016, in light of recent attacks on SHA-1.
Microsoft says it is feasible to move this date up to as early as June 2016, in light of recent attacks on SHA-1.
Since Microsoft’s announcement, DigiCert has not issued any SHA-1 certificates that expire past 2017 and made SHA-2 the default for all certificates purchased.
With the impending warning messages from Google as well as Microsoft’s upcoming deadline, DigiCert strongly recommends that you accelerate SHA-2 deployment where possible and prepare to fully migrate to SHA-2.
If you do not upgrade to SHA-2, your users will see SHA-1 security warnings in Google Chrome starting in November 2014. W3Schools’ latest report stated that 59.8% of all people on the Internet use Chrome and thus will be affected by this SHA-1 warning.