Browsers Phasing Out Certificates with SHA-1 Encryption

The web is constantly changing as we strive to keep on top of the latest trends and changes. Recently major browsers announced that they will be phasing out SHA-1 support of SSL certificates, which means that you will now be required to update your certificates to stronger encryptions such as SHA-2, SHA-256, SHA-384, or SHA-512. In order to go about this update, your SSL certificate provider maintains the ability to upgrade your certificate.

 How Does This Affect My Site?

Major browser providers including Chrome, Firefox, and Internet Explorer, have announced that in future releases they will be deprecating SHA-1 signatures and will soon be issuing “Site Insecure” warnings before users can access SHA-1 sites.  In effect, your site/s will no longer be accessible without a warning, which may cause visitors to leave your site. This is only for sites with certificates that expire during or after 2016. It is strongly recommended that you coordinate with your ssl provider and update your certificates to a stronger encryption.

 How Can I Upgrade my SSL Cert in Cloud Sites?

In your control panel, please go to your site’s security tab and select the “edit/renew” option in order to renew your certificate and maintain your same SSL IP address.

Cloud Sites has recently added the ability for you to obtain your CSR, so that you can provide it to your SSL cert provider allowing them to upgrade it for you. Here is our Knowledge Center link with instructions on updating your certificate:

http://www.rackspace.com/knowledge_center/article/how-do-i-update-my-existing-ssl-certificate

 

If you would like to check if your site’s SSL certificate is SHA-1 encrypted, feel free to use the following url:

https://shaaaaaaaaaaaaa.com/

More information on the major web browser’s announcements:

Mozilla Firefox Statement on SHA-1: 

https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms

“We agree with the positions of Microsoft and Google that SHA-1 certificates should not be issued after January 1, 2016, or trusted after January 1, 2017. In particular, CAs should not be issuing new SHA-1 certificates for SSL and Code Signing, and should be migrating their customers off of SHA-1 intermediate and end-entity certificates. If a CA still needs to issue SHA-1 certificates for compatibility reasons, then those SHA-1 certificates should expire before January 2017.

 Google Chrome Statement on SHA-1:

http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html

“Sites with end-entity (“leaf”) certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as “secure, but with minor errors”.

 Internet Explorer:

http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx

“Microsoft has announced a new policy for Certificate Authorities (CAs) that deprecates the use of the SHA1 algorithm in SSL and code signing certificates, in favor of SHA2. The policy affects CAs who are members of the Windows Root Certificat Program who issue publicly trusted certificates.  It will allow CAs to continue to issue SSL and code signing certificates until January 1 2016, and thereafter issue SHA2 certificates only.”

Your Cloud Sites team appreciates your understanding and support. If you have any questions, please leave a comment below and for more information about Cloud Sites, please visit us at cloudsitesblog.liquidweb.com.