Stories
Slash Boxes
Comments

SoylentNews is people

Final Warning: Popular Browsers Will Soon Stop Accepting SHA-1 Certificates

posted by CoolHand on Friday November 18 2016, @08:32PM   Printer-friendly
from the CERTainly-time-to-update dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

Starting with Chrome 56, planned to be released to the wider public at the end of January 2017, Google will remove support for SHA-1 certificates.

"The SHA-1 cryptographic hash algorithm first showed signs of weakness over eleven years ago and recent research points to the imminent possibility of attacks that could directly impact the integrity of the Web PKI," Chrome Security team member Andrew Whalley explained.

“Website operators are urged to check for the use of SHA-1 certificates and immediately contact their CA for a SHA-256 [i.e. SHA-2] based replacement if any are found,” he advised.

Certificate Authorities stopped issuing SHA-1 signed SSL/TLS certificates on January 1, 2016, but some of them are still valid.

Source: https://www.helpnetsecurity.com/2016/11/17/browsers-stop-sha-1-certificates/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Final Warning: Popular Browsers Will Soon Stop Accepting SHA-1 Certificates | Log In/Create an Account | Top | 8 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Informative) by edIII on Saturday November 19 2016, @01:04AM

    by edIII (791) on Saturday November 19 2016, @01:04AM (#429220)

    Not really that hard for small operators like myself. www.ssllabs.com or Mozilla's observatory are very good at showing exactly what is going with your certs and the main summaries always indicate the algorithm. They even grade them and give pointers on how to get the A+'s. If you followed every recommendation they made, you would have a moderately secure server as far as SSL security is concerned. I had no idea about a recent vulnerability, but check every week or so, and found the new oracle padding vulnerability and had it patched with their instructions within two minutes and went from F to A+ again. Some of that might be difficult for somebody without shell or shell experience admittedly.

    Let's Encrypt has made it fairly easy as well to generate certs for *free* and they *start* at SHA-2. I just checked one of mine and it was SHA256withRSA. For those who can't get a shell I found this [letsencrypt-for-cpanel.com] very quickly and imagine there are similar features in other platforms as well, or coming soon.

    There has been progress in making it easier just like you suggested.

    --
    Technically, lunchtime is at any moment. It's just a wave function.
    Starting Score:    1  point
    Moderation   +3  
       Insightful=1, Informative=2, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5