Categories: Cryptocurrency hack

Final countdown for SHA-1 SSL certificates

SHA-1 SSL certificates which are more popular and an sucessor of MD5 algorithm are now in the final days of what was once one of the most widespread types of SSL certificates:SHA-1.

Now, due to the ever present requirement to strengthen processes and techniques against a background of constantly improving computational power, it is the turn of SHA-1 to be replaced with its successor – SHA-2.

For those cheering the demise of this much-maligned algorithm, the news is good as the end is quite near:

Mozilla Firefox: From Firefox version 51, the browser will show an “untrusted connection” error warning for any site still using SHA-1.

Microsoft Internet Explorer and Edge: Starting on February 14, websites still using SHA-1 will get a rather unpleasant Valentines Day gift: the browsers will not load their websites whatsoever, though users can still opt to continue to the website after seeing a warning message.

Google Chrome: At the end of January next year, with the release of version 56, Chrome will stop trusting any SHA-1 SSL certificate and will provide a security warning.

Apple Safari: We do not have exact dates on when Apple will officially stop trusting SHA-1 certificates. The latest release notes for MacOS urge sites to drop SHA-1 as soon as possible, and websites loaded in the Sierra version already do not show the green padlock that indicates a trusted site.

What older clients don’t support SHA256

Many older clients don’t support SHA256, but the real question is which of those are relevant? The answer will vary depending on the site. For detailed information on client capabilities, head to Comodo, which maintains a detailed summary of SHA256 support for a large number of platforms.

Code-signing certificates

To be trusted by Microsoft applications/platforms, then all SHA1 code signing certificates should be replaced before 1 January 2016.

Digital signatures created from SHA-1 code signing certificates that weretimestamped before 1 January 2016 will continue to be trusted on Windows platforms but digital signatures without a timestamp will not be trusted.  It is always good practice to timestamp digital signatures when signing code.

Personal (S/MIME) certificates

We are not aware of information relating to when SHA1 personal certificates will become obsolete; but they will be in due course. It is recommended to replace these as soon as possible or before 1 January 2016 (as with code-signing certificates).

Further information

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx
https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/         http://www.comodo.com/e-commerce/SHA-2-transition.php
http://googleonlinesecurity.blogspot.in/2014/09/gradually-sunsetting-sha-1.html

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious actors…

14 hours ago

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…

18 hours ago

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious…

18 hours ago

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in 2022…

18 hours ago

Critical Laravel Vulnerability CVE-2024-52301 Allows Unauthorized Access

CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for building…

19 hours ago

4M+ WordPress Websites to Attacks, Following Plugin Vulnerability

A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin, formerly…

21 hours ago