Saturday, June 22, 2024

Final countdown for SHA-1 SSL certificates

SHA-1 SSL certificates which are more popular and an sucessor of MD5 algorithm are now in the final days of what was once one of the most widespread types of SSL certificates:SHA-1.

Now, due to the ever present requirement to strengthen processes and techniques against a background of constantly improving computational power, it is the turn of SHA-1 to be replaced with its successor – SHA-2.

For those cheering the demise of this much-maligned algorithm, the news is good as the end is quite near:

Mozilla Firefox: From Firefox version 51, the browser will show an “untrusted connection” error warning for any site still using SHA-1.

Microsoft Internet Explorer and Edge: Starting on February 14, websites still using SHA-1 will get a rather unpleasant Valentines Day gift: the browsers will not load their websites whatsoever, though users can still opt to continue to the website after seeing a warning message.

Google Chrome: At the end of January next year, with the release of version 56, Chrome will stop trusting any SHA-1 SSL certificate and will provide a security warning.

Apple Safari: We do not have exact dates on when Apple will officially stop trusting SHA-1 certificates. The latest release notes for MacOS urge sites to drop SHA-1 as soon as possible, and websites loaded in the Sierra version already do not show the green padlock that indicates a trusted site.

What older clients don’t support SHA256

Many older clients don’t support SHA256, but the real question is which of those are relevant? The answer will vary depending on the site. For detailed information on client capabilities, head to Comodo, which maintains a detailed summary of SHA256 support for a large number of platforms.

Code-signing certificates

To be trusted by Microsoft applications/platforms, then all SHA1 code signing certificates should be replaced before 1 January 2016.

Digital signatures created from SHA-1 code signing certificates that weretimestamped before 1 January 2016 will continue to be trusted on Windows platforms but digital signatures without a timestamp will not be trusted.  It is always good practice to timestamp digital signatures when signing code.

Personal (S/MIME) certificates

We are not aware of information relating to when SHA1 personal certificates will become obsolete; but they will be in due course. It is recommended to replace these as soon as possible or before 1 January 2016 (as with code-signing certificates).

Further information


Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles