The following post is to advice some of you that run public facing websites which use SSL. Google Chrome will start giving users Warning messages when accessing sites that use SHA-1 based SSL Certificates.
By the way – This is scheduled to start happening in under a month form now. And if you are like me and test SSL on sites you manage and visit you would notice that many are now flagging SHA-1 is insecure and lowering your sites ratings on security.
What is SHA-1
The SHA-1 cryptographic hash algorithm has been known to be considerably weaker than it was designed to be since at least 2005 — 9 years ago.
Why change it now?
Well its not that its new news. SHA-1’s use on the Internet has been deprecated since 2011. However change across the world takes a bit more time. And with the advancement of computing technology the ability to create Collision Attacks. So companies such a Google and Projects such as Firefox, oh and Microsoft are all Sunsetting SHA-1.
What do this mean for me?
This means you need to have your certificates re-keyed through your SSL provider using a certificate signing request (CSR) with a SHA-256 signing hash if you don’t want people to get browser warnings.
But IIS doesn’t offer this?
You are correct it doesn’t. If you are using IIS, regardless of what version of Windows OS (2003-2012) you only can generate SHA-1 certificates. So its time to embrace the power of Linux or simply OpenSSL to get the job done.
So my advice is that you start making the change, so that you don’t have to deal with the embarrassment of your customers and site visitors asking you why your SSL enabled site is reporting warnings.
Warning Example: This site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it.
Check your SSL Sites – https://www.digicert.com/sha1-sunset/