Industry shift to new password hashing algorithm will affect all SSL certificates: you need to act now.
The browser industry has announced that it will soon cease to recognize digital certificates that use the SHA-1 password hashing algorithm as secure. Certificate providers such as TrustedSecure (Comodo) and Symantec are now issuing certificates with the new, stronger SHA-2 algorithm, which will soon become the default. CSC is pleased to offer free reissuance of certificates to its SSL customers.
What this means for website owners is that in the coming months, browsers such as Mozilla, Chrome and Internet Explorer will begin to display security warnings when they visit websites with the soon-to-be-obsolete SHA-1 certificates.
So as best practice, you should have existing certificates reissued with SHA-2 hashing as soon as possible, and request that all new certificates have SHA-2. (It’s important to note that not all servers support SHA-2 algorithms. You should check your server documentation or with your IT department to confirm whether SHA-2 is supported.) SHA-1 certificates will only be available for purchase up to December 31, 2014.
The table below summarizes the timetable for phasing out SHA-1.
|Effective Date||Certificate Expiration Date||Message|
|Sep 2014||Jan 1, 2017 or later||Chrome warning: “secure, but with minor errors”; displays lock with yellow triangle.|
|Jan 1, 2016 or later||TrustedSecure will only issue SHA-2 certificates.Symantec recommends reissue of SHA-1 to SHA-2.|
|Q3-4 2014||Jan 1, 2017 or later||Mozilla (Firefox) will start rejecting SHA-1 SSL certificates.|
|Nov 2014||June 1, 2016-December 31, 2016||Chrome warning: “secure, but with minor errors”; displays lock with yellow triangle.|
|Jan 1, 2017 or later||Chrome warning: “neutral, lacking security”, and will display a blank page (no lock).|
|Q1 2015||June 1, 2016-December 31, 2016||Chrome warning: “secure, but with minor errors”; displays lock with yellow triangle.|
|Jan 1, 2017 or later||Chrome warning: “affirmatively insecure”; displays a lock with a red X|
|Jan 2016||Any||Microsoft will cease to trust code signing certificates with SHA-1|
|Jan 2017||Any||Microsoft will cease to trust digital certificates with SHA-1|