SHA-1 Deprecation


The news is that SHA-1, a very popular hashing function, is Deprecated beyond 2010.

Strictly speaking, this development is not new. The first signs of weaknesses in SHA-1 appeared (almost) ten years ago.

In 2012, some calculations showed how breaking SHA-1 is becoming feasible for those who can afford it. In November 2013, Microsoft announced that they wouldn't be accepting SHA1 certificates after 2016. However, we are in a bit of a panic now because Google followed up to say that they will soon start penalising sites that use SHA1 certificates that expire during 2016 and after. This is a major policy change that requires immediate action—according to SSL Pulse, only 15% sites use SHA256 certificates in September 2014.

What you should do#

Before this most recent development, the advice was very simple: don't use SHA-1 certificates past 2016. Google's decision implies it no longer safe to use SHA-1 (with Google Chrome) even during 2016. For some sites there may not be a satisfactory outcome no matter what they do if their desire is to maintain an error-free presence with Chrome they might need to cut off some older clients. Here's what Qualys recommends:

Read the recent announcements#

Within months, certificates that expire after 2016 will be affected. Relatively soon thereafter, further changes will be introduced that will impact the certificates that expire during 2016.

Ensure new certificate and their chains use SHA256#

Ensure new certificate and their chains use SHA256. This is critical—if your new certificates are not guaranteed to be SHA256 then all your other efforts will be pointless. If you do this, all SHA-1 certificates that expire by the end of 2015 will be guaranteed to be ready for 2016 without further effort.

Remember, It is also necessary to check that the entire certificate chain is free of SHA-1. It is not common, but there are cases where the leaf uses SHA256 but one of the intermediates uses SHA-1. Signatures on roots are not used and Chrome won't warn about them even if they are SHA-1.

Companies that use centralized certificate procurement should find this step straightforward. For those that are not, perhaps this is a good opportunity to consider centralizing further Certificate issuance.

Inventory your existing certificates #

This might be difficult, depending on your environment. Automated scanning is not only easy to do once, but can also be repeated regularly to ensure new SHA-1 certificates are not introduced. There are companies that offer products for this; for example one of the QualysGuard modules do this automatically after scanning the entire company network.

Replace SHA-1 certificates that expire after 2015 #

Start with those used on your most important sites and those that expire after 2016. Those will be the worst affected by the proposed changes and might stop working in 2017.

Then work your way to replace the remaining certificates. These steps are time consuming but shouldn't involve further direct costs because most third-party Certificate Authoritys will reissue certificates for free. However, there are some special cases you might wish to consider:

  • Older server platforms might not be able to support SHA256 certificates. For example, that's the case with Windows Server 2003. Thus, upgrading to a SHA256 certificate might require an upgrade or patching of the underlying platform.
  • Some older clients don't support SHA256. Most general-purpose sites can upgrade to SHA256 and expect the users to upgrade, too, but large sites with diverse user bases might want to preserve SHA-1 compatibility for as long as possible. In some cases that will be possible with multiple certificate deployment.

What older clients don't support SHA256#

Many older clients don't support SHA256, but the real question is which of those are relevant to your site(s)? For detailed information on client capabilities, head to GlobalSign, which maintains a detailed summary of SHA256 support for a large number of platforms. On the desktop, Windows XP introduced SHA256 in Service Pack 3. Users running SP2 should be able to upgrade to SP3. Depending on a site's profile, a significant chunk of the user base might be running XP. The XP operating system is still very popular in China and there is also strong anecdotal evidence that it remains widely used in some large organizations. Among the mobile platforms, Android added SHA256 support in version 2.3. Earlier versions—still used in large numbers—support onlySHA-1.

What if you need to support older clients?#

Technically, it is possible to have the best of both worlds by providing SHA256 certificates to modern clients and serve SHA-1 to those that can not do better. Indeed, there's nothing to say that a site can't use more than one certificate at the same time. This approach is ideal for transitions such as this one. At this time, a site could use two certificates: ECDSA+SHA256 for modern clients and RSA+SHA-1 for older clients. Unfortunately, this feature might not be available for your favorite platform. As far as We are aware, Apache is the only major server to support multiple certificates. As for NON-Apache platforms, Cloudflare and Yahoo have stated that they will add support to NGINX and Apache Traffic server, respectively.


In addition to SHA-1 Deprecation, there are also other Exploits to worry about. SHAttered shows an actual Cryptographic Collision form the use of SHA-1

More Information#

There might be more information for this subject on one of the following: