This is a question we get frequently, so we thought we’d put together a page that explains why some testing sites are starting to flag SHA1 as “weak.” Various SSL Labs sites are available that will give you a rundown of what you’re doing right and what you could improve when you’re setting up TLS for your servers. Recently, Qualys and others began noting that SHA1 is considered weak SSL security.
While SHA1 has some problems that have been known about for a while, it’s still in use. Recently, Google announced they are going to deprecate SHA-1 Certificates Soon as a way to get people to switch to the more secure SHA2 and even SHA3 hashing functions that are used for HTTPS connections. Back in November of 2013, Microsoft also announced that they wouldn’t be accepting SHA1 certificates as valid after 2016.
According to SSL Pulse, only around 15% of websites were using SHA256 certificates in September 2014. With Google and Microsoft not accepting them starting in 2016, a lot of people are scrambling to ensure that they have the newer SHA2 technology in place. This is the best way for websites to be sure they’re protecting their visitors’ data completely while they’re visiting and interacting with the site.
Almost ten years ago, it was discovered that SHA1 security could be broke if a person had enough computing power. At that time, the cost was too high for anyone to be able to crack it. However, in 2012, it was found that it was feasible to break the encryption – at least for those who had enough money for computer hardware. As costs continue to decrease and computing power becomes more available, the chances of someone easily cracking SHA1 are becoming higher.
This is why Google and others are changing their software (like Chrome web browser) to not accept SHA1 SSL certificates. The good news is that it’s not difficult to upgrade your SSL certificate. The first thing you want to do is use a website like SSL Tools to check that you’re using SHA256 level encryption for your TLS setup. You want to replace any certificates that use SHA1 before 2016 so that your visitors don’t get errors when they’re browsing your site.
One thing you’ll need to watch out for is older servers. Some software may not be able to handle anything other than a SHA1 certificate, which is going to be a problem. Additionally, some client software may not be able to handle SHA256 encryption, which may also be a problem. For the most part, SHA-256 is currently fully supported on both the OS X 10.5+ and Windows XP SP3+ operating systems.
SHA1 is now considered weak by most security professionals – and is getting weaker all the time. This is why it’s important to start planning a transition to more powerful encryption now. If you wait until the last minute, you’re going to be running around stressed out while you make sure everything works okay and that you get everything in place soon enough. By working toward the goal of getting rid of SHA1 certificates now, you’re going to safe yourself some headaches.