Final countdown for SHA-1 SSL certificates

SHA-1 SSL certificates which are more popular and an sucessor of MD5 algorithm are now in the final days of what was once one of the most widespread types of SSL certificates:SHA-1.

Now, due to the ever present requirement to strengthen processes and techniques against a background of constantly improving computational power, it is the turn of SHA-1 to be replaced with its successor – SHA-2.

For those cheering the demise of this much-maligned algorithm, the news is good as the end is quite near:

- Advertisement -

Mozilla Firefox: From Firefox version 51, the browser will show an “untrusted connection” error warning for any site still using SHA-1.

Microsoft Internet Explorer and Edge: Starting on February 14, websites still using SHA-1 will get a rather unpleasant Valentines Day gift: the browsers will not load their websites whatsoever, though users can still opt to continue to the website after seeing a warning message.

Google Chrome: At the end of January next year, with the release of version 56, Chrome will stop trusting any SHA-1 SSL certificate and will provide a security warning.

Apple Safari: We do not have exact dates on when Apple will officially stop trusting SHA-1 certificates. The latest release notes for MacOS urge sites to drop SHA-1 as soon as possible, and websites loaded in the Sierra version already do not show the green padlock that indicates a trusted site.

What older clients don’t support SHA256

Many older clients don’t support SHA256, but the real question is which of those are relevant? The answer will vary depending on the site. For detailed information on client capabilities, head to Comodo, which maintains a detailed summary of SHA256 support for a large number of platforms.

Code-signing certificates

To be trusted by Microsoft applications/platforms, then all SHA1 code signing certificates should be replaced before 1 January 2016.

Digital signatures created from SHA-1 code signing certificates that weretimestamped before 1 January 2016 will continue to be trusted on Windows platforms but digital signatures without a timestamp will not be trusted.  It is always good practice to timestamp digital signatures when signing code.

Personal (S/MIME) certificates

We are not aware of information relating to when SHA1 personal certificates will become obsolete; but they will be in due course. It is recommended to replace these as soon as possible or before 1 January 2016 (as with code-signing certificates).

Further information

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx
https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/         http://www.comodo.com/e-commerce/SHA-2-transition.php
http://googleonlinesecurity.blogspot.in/2014/09/gradually-sunsetting-sha-1.html