As computer power continues to advance, SHA1 hashing has become much easier to break. This story has repeated itself in the past, first it was SHA0 then as technology advanced we had to move on to SHA1 and now SHA2.
SHA is a very popular hashing algorithm that is used by certification authorities to sign certificates. Its first version SHA0 was introduced in 1993, followed by SHA1, SHA2, and most recently SHA3 in 2012.
SHA2 the successor of SHA1 has four hashing functions: SHA224, SHA256, SHA512 and works the same way as SHA1 but stronger and generates a longer hashing algorithm (the default hashing that is used is SHA256). If you are attempting to test or you want to create a certificate using SHA224 or SHA512 I suggest using openSSL.
Microsoft and Google have announced that support for SHA1 will be deprecated in browsers and this will affect most certificates expiring after December 2015. According to Google, the conversion to SHA2 will be done in multiple phases. Starting from Google Chrome version 39, it will display visual security indicators (a yellow triangle or X and crossed https in red) for certificates that are still using SHA1 and expire after January 2016.
Google’s plan for Chrome is as follows:
1) Version 39 (around September 2014) Google Chrome displays a yellow triangle indicating that the certificate expires on or after January 2016.
2) Version 40: Sites with certificate expiry dates between June 1, 2016 and December 31, 2016, which still include a SHA1 signature will be considered secure with minor errors. Sites with the expiry date on or after January 1, 2017 and include SHA1 signature will be considered neutral, however lacking security. In this case, the display on the browser will be normal.
3) Version 41: Sites with certificates expiring between January 1, 2016 and December 31, 2016, which include the SHA1 signature as part of the certificate chain will be considered trusted with minor errors. Sites with expiry dates on or after January 1, 2017 which include the SHA1 hashing signature as part of the certificate chain will be considered “active mixed content” and the display on the browser will show an “x” and crossed out https (both in the color red).
As for Microsoft, on January 1, 2016 they announced that all certificates issued by the CA servers who are members of the Windows root certificate program will issue SHA2 certificates only. All certificates with SHA1 will continue to be supported until January 1, 2017.
So what do Windows users need to do to comply with these new changes? Nothing, the operating systems that are still under Microsoft’s radar have already picked the SHA2 support functionality i.e.:
- Windows XP with Service Pack 3 supports SHA2 SSL certificates.
- Windows server 2003 Service Pack 2 or later added SHA2 functionality to SSL certificate by hotfixes KB968730 and KB938397.
- All website operators with certificates that expire after January 1, 2017 require a certificate that supports SHA2.
Click here to check if your certificate is SHA1.