WordPress Security: Reminder to Upgrade SSL Certificates from SHA1 to SHA2
With Chrome version 39 which is in the process of being released (see footnote), Google has started issuing warnings if a website is using a certificate that has a signature algorithm that uses the older and less secure SHA1. The warning will only be issued for SHA1 certificates valid past January 1st 2017.
To find out which signature algorithm your secure website is using, in Chrome click on the green lock in the location bar. Then click on ‘connection’, then click on ‘certificate information’. You should see something like the image below. Note the ‘Signature algorithm’ is SHA-256 which is one of the SHA2 hashing functions. If you see SHA-1, you need to immediately reissue your certificate using SHA-2 and install the new version.
So what does it look like in the new version of Chrome when you’re using SHA-1? This is taken from a well known website that has not upgraded yet. Notice the lock with the warning triangle in the location bar. This is the main indication for a site visitor that something is awry. If you then click on the lock it has a further warning with explanation.
If you do have a website that is using SHA-1, don’t panic. Just sign into GoDaddy or whoever your SSL issuer is. Then go to manage your certificates and they’ll have an option there to reissue your certificate. You’ll need to resubmit your certificate signing request (CSR) but you can just resubmit your old CSR and it will work fine.
Then make sure that you’ve selected SHA-2 or SHA-256 or another SHA-2 compatible function. Then reissue the certificate. In GoDaddy’s case it takes about a minute for them to approve your request. If you have an EV certificate it may take longer.
Please share this with other site administrators to make sure that their customers aren’t getting warnings when visiting those all-important secure pages.
Footnote: Chrome 39 has officially been pushed into the “Stable” channel which is the release channel. It will be pushed out via auto-update to millions of customers in the coming days. The demo above was done with Chrome 40 beta, but what the user sees is identical.
Comments
12:53 pm
When I click on that green lock, all that happens is that the page refreshes…
10:58 pm
Click on the lock.
1:27 pm
well, any idea about hostgator.com ssl update.. I contacted the support but they are very slow now a dayz.
2:38 pm
Unfortunately you failed to mention this only applies to 'HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017'.
Please see:
http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html
3:00 pm
Thanks Richard, posted updated.
7:10 pm
I am every time surprised with all the rubbish discriptions.
"To find out which signature algorithm your secure website is using, in Chrome click on the green lock in the location bar. Then click on ‘connection’, then click on ‘certificate information’. "
The 'connection' I don't have and I do not find the rest of the discription. I have the newest Chrome version!