Do you have the latest SHA??
Your SSL certificate was signed using a one-way hashing algorithm when it was created. It was probably SHA-1.
Which is too bad, because SHA-1 is dangerously weak, and SHA-2 is the replacement.
Test your site's certificate by visiting shaaaaaaaaaaaaa.com:
You can also use this repo's ./bin/shaaaaaaaaaaaaa script to get an answer on the command line, or visit the excellent SSL Labs for a far more comprehensive review of your SSL configuration.
This repository contains the code for shaaaaaaaaaaaaa.com. It depends on openssl.
Yes. Be a part of the solution.
SHA-1 was broken in 2005, and one estimate suggests that in 2014 it costs $1-2 million to forge a SHA-1 certificate. That's nothing.
Eventually, browsers and OSes will distrust SHA-1:
- In 2013, Microsoft deprecated SHA-1 for Windows and Internet Explorer.
- In 2014, the Chromium team deprecated SHA-1 for Chrome.
They've promised dire consequences in 2016 and 2017, but they'll only be able to follow through on their threat if enough people update their certs before then.
The last time this happened was with MD5. MD5 was first shown to be weak in 1996, and Chrome wasn't able to remove MD5 support until December 2011.
It's 2014, and the overwhelming number of certificates in the wild today -- including those of leaders like Google -- are SHA-1.
If you're using a SHA-1 cert, take a few minutes and generate a new one with SHA-2.
When you're generating your certificate request, include the -sha256 parameter:
openssl req -new -sha256 -key my-private.key -out mydomain.csr
That will instruct the certificate authority to use SHA-256 (a form of SHA-2) when generating your certificate.
For more information on generating and installing a certificate, see:
- this author's guide to setting up HTTPS
- this author's nginx configuration that produces this SSL Labs rating
This is a tiny tool by Eric Mill. Released under an MIT License.