Featured Chrome browser 39+ sunsetting SHA-1 SSL signatures

rdan · Sep 20, 2014

maybe I'm already good? Qualys SSL Labs - Projects / SSL Server Test / phcorner.net
Still the root cert is still SHA1.

eva2000 · Sep 20, 2014

RoldanLT said: ↑

Sorry but don't understand it fully, Do you have the link for Intermediate and Root cert that is already SHA2?
Click to expand...

i mean take both those listed RapidSSL - Knowledge Center - SSL Certificates Support and redo concatenation with your reissued RapidSSL SHA256 SSL certificate.

Or better yet, just reissue your RapidSSL again with SHA256, this time they should give you a full SHA256 chain of SSL intermediates I believe. Maybe ask RapidSSL support too.

rdan · Sep 20, 2014

eva2000 said: ↑

i mean take both those listed RapidSSL - Knowledge Center - SSL Certificates Support and redo concatenation with your reissued RapidSSL SHA256 SSL certificate.

Or better yet, just reissue your RapidSSL again with SHA256, this time they should give you a full SHA256 chain of SSL intermediates I believe. Maybe ask RapidSSL support too.
Click to expand...

Yes I just re issue with SHA2, but still they don't provide root cert that is Sha2.
I can live with it for now.
My domain and intermediate are already SHA2, only root is not.
So I think there's no problem with that.

eva2000 · Sep 20, 2014

yeah CA/root SSL can be SHA1 without problems

rdan · Sep 20, 2014

eva2000 said: ↑

yeah CA/root SSL can be SHA1 without problems
Click to expand...

I can breath now
Thanks!

eva2000 · Oct 10, 2014

Chrome 38 is now released, so the changes in first post regarding sunsetting sha1 will start with next Chrome 39 release !

rdan · Nov 8, 2014

SHA1 Chrome Checker

eva2000 · Nov 8, 2014

nice.. still best overall test which includes SHA1 chain issues is SSLLabs test www.ssllabs.com/ssltest/analyze.html

eva2000 · Nov 27, 2014

So Chrome 39 is here now, so SHA1 sunsetting has started !

Chrome 39.0.2171.71 m for me

Andy · Nov 28, 2014

eva2000 said: ↑

So Chrome 39 is here now, so SHA1 sunsetting has started !

Chrome 39.0.2171.71 m for me
Click to expand...

Version 39.0.2171.71 (64-bit) on Mac OS for me

rdan · Nov 28, 2014

Yeah Version 39.0.2171.71 m (64-bit) for me

eva2000 · Nov 30, 2014

strange using Chrome 39 visiting know sha1 SSL web sites i am not seeing a downgraded SSL lock icon at all ?

Andy · Dec 1, 2014

eva2000 said: ↑

strange using Chrome 39 visiting know sha1 SSL web sites i am not seeing a downgraded SSL lock icon at all ?
Click to expand...

I don't think it will show yet. Probably in late 2015.

eva2000 · Apr 12, 2015

Still ongoing - latest update from Microsoft Microsoft announces updates to SHA-1 deprecation policy for Code Signing

Microsoft has recently announced two major updates regarding their SHA-1 deprecation policy for Code Signing Certificates. The first pertains to an update for supporting SHA-2 Code Signing by Windows 7 and Windows Server 2008 R2 and the second update allows Certificate Authorities to continue issuing SHA-1 Code Signing Certificates after January 1st, 2016 to support platforms that don't support SHA-2 yet.

Microsoft announces updates to SHA-1 deprecation policy for Code Signing
A Windows update for Windows 7 and Windows Server 2008 R2 was re-instated to support SHA-2 Code Signing Certificates on March 10th, 2015. Microsoft previously released a similar update on October 14th, 2014, but after issues were detected the update was removed from the Microsoft Download Center. The new update enables Windows 7 and Windows Server 2008 R2 to verify SHA-2 Code Signing Certificates and accept SHA-2 Code Signed Drivers. Windows Vista, Windows Server 2008 and earlier platforms are outside the scope of this update and still cannot support SHA-2 Code Signed Kernel Drivers.

Continuance of SHA-1 Code Signing Certificates issuance
In order to provide Code Signed Drivers which can be verified and accepted by Windows Vista, Windows Server 2008 and earlier platforms, CAs are allowed to continue issuing SHA-1 Code Signing Certificates after January 1 st , 2016. However, SHA-1 Code Signing Certificates should be used for targeting at these earlier platforms only due to the fact that SHA-1 is no longer considered to be secure and is susceptible to attacks. Windows 7 and later platforms will stop accepting SHA-1 Code Signing Certificates after January 1 st , 2016. Software developers may need to use both SHA-1 and SHA-2 certificates depending on the target platforms.
Click to expand...

eva2000 · Oct 9, 2015

I still come across https sites with SHA1 !

But scary

SHA1 algorithm securing e-commerce and software could break by year’s end | Ars Technica

The Shappening

Thursday's research showing SHA1 is weaker than previously thought comes as browser developers and certificate authorities are considering a proposal that would extend the permitted issuance of the SHA1-based HTTPS certificates by 12 months, that is through the end of 2016 rather than no later than January of that year. The proposal argued that some large organizations currently find it hard to move to a more secure hashing algorithm for their digital certificates and need the additional year to make the transition.

The paper was written by Marc Stevens, Pierre Karpman, and Thomas Peyrin. The new calculations, should they be confirmed by the researchers' peers, are likely to provide a strong argument for voting no and instead quickly migrating to use of SHA2, which is much more resistant to collisions.
Click to expand...

eva2000 · Jan 31, 2016

SHA1 is nearing it's end Facebook security warning over expiring algorithm - BBC News

older web browsers beware !

Web browsing will get much riskier for millions of people when a key security algorithm stops being used, warns Facebook.

The algorithm, known as SHA-1, will stop being supported by web browsing programs during 2016.

Its replacement - SHA-2 - will not be compatible with older web browsers.

Facebook said many of those exposed when SHA-1 is retired live in regions where web use is closely watched.

"We don't think it's right to cut tens of millions of people off from the benefits of the encrypted internet," wrote Alex Stamos, Facebook's chief security officer in a blogpost.

Two-tier web
Statistics gathered by Facebook suggest that 3-7% of all web browsers are so old that they cannot use SHA-2.

SHA-1 is used in a lot of security measures as a guarantee of identity and to conceal what people do online. But the cost of mounting an attack has fallen sharply recently so it has become much more straightforward for attackers to impersonate websites and spy on data.

Security firm Cloudflare has also issued warnings about the retirement of SHA-1 and drawn up a list of the nations where older browsers that cannot work with the new version are most prominent.
Click to expand...

eva2000 · Feb 3, 2016

Ah Paypal is moving from SHA1 to SHA2 SSL certificates now

https://www.paypal-knowledge.com/infocenter/index?page=content&id=FAQ1766

https://www.paypal-knowledge.com/in...t&widgetview=true&id=FAQ1913&viewlocale=en_US

PayPal is upgrading the protocols used to secure all external connections made to our systems. Transport Layer Security version 1.2 (TLS 1.2) and Hypertext Transfer Protocol version 1.1 (HTTP/1.1) will become mandatory for communication with PayPal in 2016. You will need to verify that your environment supports TLS 1.2 and HTTP/1.1, and if necessary make appropriate updates. For information, click HERE.

Act by June 17, 2016

PayPal is in the process of upgrading the SSL certificates used to secure our web sites and API endpoints. These new certificates will be signed using the SHA-256 algorithm and VeriSign's 2048-bit G5 Root Certificate. You will need to ensure that your environment supports the use of the SHA-256 signing algorithm and discontinue the use of SSL connections that rely on the VeriSign G2 Root Certificate. For information, click HERE.

Act by June 17, 2016
Click to expand...

WinXP users that don't support SHA2 will need to update. Possibly prompting them to update their OS eventually ?

eva2000 · Oct 20, 2016

Mozilla/Firefox on SHA-1 Phasing Out SHA-1 on the Public Web | Mozilla Security Blog

In early 2017, Firefox will show an overridable “Untrusted Connection” error whenever a SHA-1 certificate is encountered that chains up to a root certificate included in Mozilla’s CA Certificate Program. SHA-1 certificates that chain up to a manually-imported root certificate, as specified by the user, will continue to be supported by default; this will continue allowing certain enterprise root use cases, though we strongly encourage everyone to migrate away from SHA-1 as quickly as possible.

This policy has been included as an option in Firefox 51, and we plan to gradually ramp up its usage. Firefox 51 is currently in Developer Edition, and is currently scheduled for release in January 2017. We intend to enable this deprecation of SHA-1 SSL certificates for a subset of Beta users during the beta phase for 51 (beginning November 7) to evaluate the impact of the policy on real-world usage. As we gain confidence, we’ll increase the number of participating Beta users. Once Firefox 51 is released in January, we plan to proceed the same way, starting with a subset of users and eventually disabling support for SHA-1 certificates from publicly-trusted certificate authorities in early 2017.

Questions about SHA-1 based certificates should be directed to the mozilla.dev.security.policyforum.
Click to expand...

Log in / Register

Forums

Join the community today

Featured Chrome browser 39+ sunsetting SHA-1 SSL signatures

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Andy Active Member

rdan Well-Known Member

eva2000 Administrator Staff Member

Andy Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Join the community today

Featured Chrome browser 39+ sunsetting SHA-1 SSL signatures

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Andy Active Member

rdan Well-Known Member

eva2000 Administrator Staff Member

Andy Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.