SHA-1 deprecation – Microsoft and Mozilla propose new, earlier dates of June/July 2016 for SSL/TLS

November 16, 2015 | By Comodo

In light of recent research which contends that the SHA-1 hashing algorithm could be more vulnerable to attack than was previously thought, both Microsoft and Mozilla have begun discussions to bring forward the date when their browsers will reject SHA-1 based SSL/TLS certificates.

Although not yet confirmed, Mozilla is considering rejecting SHA-1 certificates after July 1st 2016, while Microsoft may start to reject them after the slightly earlier date of June 2016. If these plans become policy, then Firefox and Internet Explorer/Edge will show error messages whenever they encounter a SHA-1 certificate after the new dates. The previous deadline was January 1st 2017 as explained in our advisories here and here.

We anticipate Google may announce a similar timeline for their Chrome Browser soon. Because of this, we strongly recommend customers replace any SHA-1 SSL/TLS certificates on their websites, free of charge, with a SHA-2 version no later than May 31st 2016.

The following table summarizes the proposed new dates when the major browsers will cease to trust SHA-1 signed SSL/TLS certificates:

SSL/TLS Certificates
Current Deadline Proposed Deadline
Microsoft IE/Edge Jan 1st 2017 June 1st 2016
Mozilla Firefox Jan 1st 2017 July 1st 2016
Google Chrome Jan 1st 2017 Not announced yet

Mozilla blog: https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/

Microsoft blog: https://blogs.windows.com/msedgedev/2015/11/04/sha-1-deprecation-update/

Readers should consider all dates as subject to change pending further review from Microsoft, Google and Mozilla.

How do I know if I am affected?

Enter your domain in our certificate checker at https://sslanalyzer.comodoca.com/ . The ‘signature’ row will tell you if you have a SHA-1 certificate. If so, please get a free SHA-2 replacement from Comodo before May 31st 2016. If your certificate expires before May 31st then you are free to let it expire as normal, but we advise you get a SHA-2 replacement at the earliest opportunity anyway to ensure the highest levels of protection for your visitors.

How do I get a SHA-2 certificate?

Comodo offers a free certificate replacement program to all customers. To replace your SHA-1 certificate, log into your Comodo account, locate your certificate order and use the ‘Replace Certificate’ facility. Please make sure to supply a SHA-2 CSR (or select the ‘SHA-2’ option under ‘Hash Algorithm’ on the certificate order form). We will also reach out to Comodo customers and partners with SHA-1 certificates that expire after May 31st 2016 to help them obtain a replacement. More guidance can be found in this support article.

Does anything still need SHA-1?

There is a full list of operating systems, browsers and servers which support SHA-2 on the CA Security Council website here. If you have a particular piece of software that you have concerns over, we suggest contacting the software vendor to see if they have, or are planning to offer, SHA-2 support.
Comodo has a test site that uses a SHA-2 certificate. You can test software and devices against this URL to attempt to determine SHA-2 compatibility: https://sha256rsa.comodoca.com

Comodo will continue to monitor the situation and work with our customers to ensure the SHA-2 upgrade goes as smoothly as possible. If you have questions about the transition, please contact your Comodo account manager or Comodo support directly on support@comodo.com

Does this affect Code-Signing certificates?

There have also been minor adjustments to Microsoft’s policy on SHA-1 code signing certificates:

Code Signing Certificates
Jan 1st 2016
– Windows 7 upwards will only trust SHA-2 signed code
– CAs will no longer issue SHA-1 code signing certificates
– CAs MAY issue SHA-1 certificates to developers targeting Windows Vista or Server 2008 only

Please note that although CAs MAY issue SHA-1 code-signing certificates after Jan 1st 2016, code signed (and timestamped) with a SHA-1 signature or using a SHA-1 certificate WILL NOT WORK for standard Authenticode signing for code to run on Windows 7 and upwards.

Microsoft enforcement: http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#H1_B

References and further reading
https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/
https://blogs.windows.com/msedgedev/2015/11/04/sha-1-deprecation-update/
http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#H1_B
https://sites.google.com/site/itstheshappening/
https://www.comodo.com/e-commerce/SHA-2-transition-next-steps.php
https://www.comodo.com/e-commerce/SHA-2-transition.php
https://casecurity.org/2014/01/30/why-we-need-to-move-to-sha-2/
https://casecurity.org/2013/12/16/sha-1-deprecation-on-to-sha-2/

Be Sociable, Share!

    Tags:

    Add new comment

    Your name
    Comment

    You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>