SHA-1 Phase Out and SHA-2 SSL Certificates

21 Nov

You may have seen that SHA-1 (Secure Hash Algorithm) is being phased out, and this is a good thing generally. SHA-1 is becoming dangerously weak and is pretty old now so it’s time for a replacement.

“Microsoft and Google announced SHA-1 deprecation plans that may affect websites with SHA-1 certificates expiring as early as after December 31, 2015.”

At the time of writing apparently 90% of Websites using SSL are using SHA-1. So, say hello to SHA-2 which is now very widely supported, notably:

  • Chrome 26+
  • Firefox 1.5+
  • Internet Explorer 6+ (With XP SP3+)
  • Konqueror 3.5.6+
  • Mozilla 1.4+
  • Netscape 7.1+
  • Opera 9.0+
  • Safari 3+

Firstly, how to check what SSL you have. You can either click on the certificate and look into the certificate details or you can use these sites:

I tend to lean towards 123-reg for cheap and cheerful certificates, I found this article which suggest that SHA-2 is supplied 123-reg by by default. When I ran the “Reissue Certificate” command, SHA-2 was enabled by default. (I also confirmed this via Live Chat).

SHA-2Capture

If you’re still using SHA-1 then it’s probably time to start acting on it – always be prepared.

At the time of writing these sites were still using SHA-1:

In fact, I found it tricky so find any none SHA-1 websites:

References: