Google Chrome phasing out SSL certs using SHA-1

Replace your weak SSL cert

We’re about to enter the exciting world of the SSL industry. Before you fall asleep or decide to take a pass, spend 27 seconds reading the next section — it summarizes all you need to know about SHA-1 and a big change on the horizon for some SSL certificates.

Google says sayonara to SHA-1

“Most of the secure web is using an insecure algorithm, and Google’s just declared it to be a slow-motion emergency.” ~ Eric Mill, konklone.com

Google® is making a shift in their Chrome™ Web browser to phase out any SSL certificates which use an old encryption algorithm (SHA-1) and expire after Dec. 31, 2015. (Learn more about what SSL is and how works.) While that algorithm hasn’t been cracked, it’s becoming weaker with age and, as an industry, we want to make sure the Internet stays safe.

So, starting in about 10 weeks, Google Chrome is going to start displaying warnings to visitors of websites that continue using the affected certificates. If your website is using an SSL certificate with SHA-1 that is valid past 2015, ask your Certificate Authority to provide you with a replacement cert with SHA-256 encryption.

GoDaddy VPS and Dedicated Servers

Why is this happening?

Strong encryption makes it practically impossible for someone to find out what is being transmitted without having the keys to what is being sent. When properly implemented, it does an excellent job of keeping unwanted eyes from seeing the information. As technology advances, encryption mechanisms must also be improved.

SHA-1 is the latest algorithm under attack. While there have been no known compromises, it’s only a matter of time. Renowned cryptologist Bruce Schneier predicted that the cost of a successful attack against SHA-1 will be down to $700K in 2015, well within the reach of a determined adversary. Collectively, SSL certificate providers and Web browsers agree that we need to remove the certificates using SHA-1 from the Internet to increase protection of websites and their visitors.

How do I know if I have a SHA-1 cert?

You can run a number of SSL tests online. One example is https://www.ssllabs.com/ssltest. You can also check directly within your favorite browser by clicking on the lock icon and examining the certificate details.

How do I fix my website?

Fixing your website shouldn’t be too difficult. For the vast majority of customers, asking your Certificate Authority to provide you with a new certificate that uses SHA-2 (the new algorithm), and then installing it, is all you need to do. GoDaddy’s Web hosting customers will be automatically updated. Customers using GoDaddy certs on their own servers will need to re-key their certificates.

What happens if I keep my SHA-1 certificate?

First of all, don’t. Plain and simple. You need to re-key your certificate as soon as possible.

To incentivize SSL certificate owners to move to SHA-2 encryption, Google has outlined a number of phases for its Chrome browser to handle SHA-1-encrypted sites. In short, users will receive increasingly worrying error messages about the site.

We’re interested in keeping the Internet safe for everyone, and as an SSL certificate owner, we thank you for taking action.

Learn about the four types of SSL certificates available.

Wildcard SSL Certificate
Extended Validation SSL Certificate
SAN SSL Certificate
Organization Validation SSL Certificate

Image by: Brian Smithson (Old Geordie) via Compfight cc

Wayne Thayer
As VP and General Manager of Security Products at GoDaddy, Wayne is responsible for security products including GoDaddy’s SSL Certification Authority, code signing certificates and partnership with SiteLock. Wayne represents GoDaddy at the CA/Browser Forum, the standards body that defined Extended Validation SSL. When he’s not working or spending time with his family, he enjoys competing in amateur mountain bike races. He completed the famed Leadville Trail 100 race a few years ago.