WHAT IS SHA-1 / SHA-2?
What is SHA?
SHA, or Secure Hash Algorithm, is a hashing algorithm used in secured connections to prove the integrity and authenticity of a message to the receiver. SHA algorithm is the default hash algorithm set in SSL certificates.
What is SHA-1?
SHA-1 is an algorithm producing a 160-bit fingerprint when used on a message.
It was the standard up until now for secured connections. However SHA-1 was adopted in 1995, a long time ago in internet years. Just think of the computer you were using in 1995! Huge advances in technology and developments in cryptography since then are putting pressure on SHA-1, and it has been shown to be unreliable.
Its days are numbered and the SSL industry is migrating to SHA-2. From January 1st 2017, SSL certificates using SHA-1 will no longer be recognised by web browsers and operating systems, rendering them useless. Most major browsers (Chrome, Safari, Mozilla, Opera) have voiced their support for the move.
What is SHA-2?
SHA-2 is a set of hash functions including SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256.
The most common hash function used is SHA-256. So generally speaking, SHA-2 = SHA-256.
It works the same way as SHA-1, but produces a longer fingerprint when used on a message. Moving from SHA-1 to SHA-2 will increase security and safety online.
But it’s not all bad, and there’s no need to panic.
The hard work required to transition from SHA-1 to SHA-2 has already been taken care of. SHA-2 is widely supported by most browsers, email clients and mobile devices, making the transition relatively hassle-free.
What does this mean for my SSL certificate?
The SHA-1 algorithm is set by default in your SSL certificate at the time of purchase, unless specified otherwise. In any case, your SSL certificate must use SHA-2 from January 1st, 2017, and all Certification Authorities are currently ensuring you can purchase SHA-2 certificates from now on. If you chose to be PCI compliant, note that SHA-2 is an element required the by the authority in charge of this norm (Payment Card Industry Security Standards Council).
You have three main options depending on your situation:
- If your certificate expires before January 1st, 2016: you can still get a SHA-1 certificate, but its validity period can’t go after January 1st, 2017.
- If your certificate expires between January 1st, 2016 and January 1st, 2017: you won’t have any other choice than ordering a SHA-2 certificate, but your SHA-1 certificate remains valid until December 31st, 2016.
- If your SSL certificate expires after January 1st, 2017: after this date, Microsoft Operating Systems will stop trusting your SSL certificate, and web browsers will do the same. Any user trying to connect to your server will get the following warning message:
The SHA-2 algorithm does not come with any additional costs.
Are there any compatibility issues?
SHA-2 has some compatibility issues with Windows XP service pack 2 and previous versions. Before switching to SHA-2, make sure your organisation and network are fully compatible with SHA-2: check that all your platforms, web browsers and Operating Systems are up to date.
While some browser compatibility issues do exist, they only apply to very old browsers that are unsafe for browsing the internet regardless.
Read more about SHA-2 compatibility here.
As always, we’re committed to ensuring the safety your business on the internet, and we’re here for you during this transition. Please don’t hesitate to contact us on: