In light of recent research which contends that the SHA-1 hashing algorithm could be more vulnerable to attack than was previously thought, both Microsoft and Mozilla have begun discussions to bring forward the date when their browsers will reject SHA-1 based SSL/TLS certificates.
Although not yet confirmed, Mozilla is considering rejecting SHA-1 certificates after July 1st 2016, while Microsoft may start to reject them after the slightly earlier date of June 2016. If these plans become policy, then Firefox and Internet Explorer/Edge will show error messages whenever they encounter a SHA-1 certificate after the new dates. The previous deadline was January 1st 2017 as explained in our advisories here and here.
We anticipate Google may announce a similar timeline for their Chrome Browser soon. Because of this, we strongly recommend customers replace any SHA-1 SSL/TLS certificates on their websites, free of charge, with a SHA-2 version no later than May 31st 2016.
The following table summarizes the proposed new dates when the major browsers will cease to trust SHA-1 signed SSL/TLS certificates:
Readers should consider all dates as subject to change pending further review from Microsoft, Google and Mozilla.
How do I know if I am affected?
Enter your domain in our certificate checker at https://sslanalyzer.comodoca.com/ . The ‘signature’ row will tell you if you have a SHA-1 certificate. If so, please get a free SHA-2 replacement from Comodo before May 31st 2016. If your certificate expires before May 31st then you are free to let it expire as normal, but we advise you get a SHA-2 replacement at the earliest opportunity anyway to ensure the highest levels of protection for your visitors.
How do I get a SHA-2 certificate?
Comodo offers a free certificate replacement program to all customers. To replace your SHA-1 certificate, log into your Comodo account, locate your certificate order and use the ‘Replace Certificate’ facility. Please make sure to supply a SHA-2 CSR (or select the ‘SHA-2’ option under ‘Hash Algorithm’ on the certificate order form). We will also reach out to Comodo customers and partners with SHA-1 certificates that expire after May 31st 2016 to help them obtain a replacement. More guidance can be found in this support article.
Does anything still need SHA-1?
There is a full list of operating systems, browsers and servers which support SHA-2 on the CA Security Council website here. If you have a particular piece of software that you have concerns over, we suggest contacting the software vendor to see if they have, or are planning to offer, SHA-2 support.
Comodo has a test site that uses a SHA-2 certificate. You can test software and devices against this URL to attempt to determine SHA-2 compatibility: https://sha256rsa.comodoca.com
Comodo will continue to monitor the situation and work with our customers to ensure the SHA-2 upgrade goes as smoothly as possible. If you have questions about the transition, please contact your Comodo account manager or Comodo support directly on firstname.lastname@example.org
Does this affect Code-Signing certificates?
There have also been minor adjustments to Microsoft’s policy on SHA-1 code signing certificates:
|Code Signing Certificates|
Please note that although CAs MAY issue SHA-1 code-signing certificates after Jan 1st 2016, code signed (and timestamped) with a SHA-1 signature or using a SHA-1 certificate WILL NOT WORK for standard Authenticode signing for code to run on Windows 7 and upwards.
References and further reading