SHA2 SSL Certificates – All You Need to Know About SHA-2 SSL

2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5, rated)
Loading...

Learn About The Key Differences Between SHA-1 And SHA-2 And Why SHA2 certificate Is Used Now 

SHA, or Secure Hash Algorithm, is a cryptographic hashing algorithm used in computer security.  It was created by the US National Security Agency (NSA) with the collaboration of other government and private institutes.  It has several versions – SHA-0, SHA-1, SHA-2, and SHA-3 versions.   

Before jumping into SHA-2, lets cover some basics first.  

What is Hashing? 

Hashing algorithm is a one-way function that shrinks data using a mathematical function. The resulting hash value is unique for that piece of content – no other piece of content will have the same hash value. 

So, for example, if you hash the line “I bought an SSL certificate with a $50,000 warranty for $45 on Thursday, July 11, 2019.” you’ll get a hash value like this: 

94BF78837296B93E4BEDB99FAAF44BAE2CEEC31469

The resulting value is called hashed text, hashed value, or digest. Hashes are used for providing security to sensitive data, improving the speed of operations, securing passwords, and comparing data with ease. There are a number of hashing algorithms available in the industry, and SHA is one of the most popular. 

How is Hashing Different Than File Compression? 

There are two critical features of the SHA algorithm, which make it different than a regular zip file compression. 

  1. Hash values are unique: No two strings of text will create the same hash value. If it does, it called a collision in that particular hash algorithm.  If there is the slightest change in the original text, the entire hash value changes.  
  2. Hash values are irreversible: This means that if you have pieces of only hashed text, you can’t decrypt it and find out the original text. 

How is Hashing Used With SSL? 

The SHA algorithm is used by SSL/TLS certificate authorities (CA) to sign the digital certificates.  

When you buy an SSL certificate, the certificate authority puts the digital signature on the SSL certificate and hashes it using the SHA algorithm.  The unique hash value is proof that the SSL certificate is exactly the same as it was at the time of issuance, and the information it contains has not been modified or reproduced. If an attacker tries to manipulate or reproduce the SSL certificate, the hash value of its digital signature changes. The different hash value alerts browsers and operating systems to the problem, and they show an error warning to users. 

The Transition From SHA-1 to SHA-2 

SHA-1, which is a member of the SHA hashing algorithm family, was first introduced in 1993. It was the primary algorithm for signing digital certificates and certificate revocation lists. In 2001, SHA-2, the upgraded version of SHA-1 was introduced with longer and stronger encryption. SHA2 is a family of algorithms that uses 224, 256, 284, or 512 bit long key for the purpose of encryption. It was voluntary to use SHA-2 for more than a decade after its introduction, and most of the CAs chose to stay in their comfort zone by using SHA-1.  

  • Starting in 2005, a couple of institutes started to claim collisions were possible with SHA-1.
  • During 2011 to 2019, there was a transition from SHA-1 to SHA-2.  
  • In 2014, Google declared that starting in 2017, Chrome 39, 40, and 41 would show an error message for all SHA-1 TLS/SSL certificates expiring on or after 1st January 2017. After that, all the major browsers gradually declared the same policies to boycott SHA-1.  
  • In 2015, thousands of SHA-1 SSL certificates were revoked and re-issued with SHA-2. 
  • December 31, 2015 was the deadline to stop signing SSL certificates with SHA-1. These announcements put a tight leash on certificate authorities to sign digital certificates using SHA-1 and made them shift to SHA-2 SSL. 
  • SHA-1 SSL’s golden era officially ended when in 2017, Google performed an actual SHA-1 collision attack showing that two different PDF files have produced the same hash value. 
  • In January 2019 all Google Chrome versions ceased supporting digital certificate signed with SHA-1. 

Why Browsers Prefer SHA-2 SSL over SHA-1 

But after all this fuss, the basic question is: what makes SHA-2 more secure and trustworthy than SHA-1? SHA-1 uses a 160-bit length signature. SHA-2 produces hashes of different length, known as ‘SHA-2 family of hash functions’ – among them, 265-bit is the most popular one.  The other SHA-2 hash functions include SHA-224*, SHA-256, SHA-284, SHA-512, SHA-512/224, SHA-512/256. The number written after SHA is the length of the bit values. The longer the signature length, the harder it is to decrypt; and hence more secure it is. (*Note: SHA-224 is not approved to sign publicly trusted certificates.)  

Is SHA-2 SSL going to stay in the market forever? When the hashing algorithm is supposed to produce unique hash value, there is an upper limit for the number of combinations it can produce. For example, SHA-256 can produce 2256 unique combination of hashes. As far as reaching 2256 unique hash values is concerned, it’s a huge number and it’s not going to happen anytime sooner. So, for now, certificates signed with SHA-2 are in a safe zone.  

What If My SSL Certificate Is Signed With SHA-1? 

With all certificates signed with SHA-1, browsers will show a security warning to the website visitors with an error message such as NET:: ERR_CERT_WEAK_SIGNATURE_ALGORITHM. Below is a screenshot of Google Chrome’s warning page.  

NET:: ERR_CERT_WEAK_SIGNATURE_ALGORITHM

If you are a website owner/webmaster, you must ask your certificate authority to re-issue the SSL with the latest SHA-2 algorithm. Keep in mind-many certificate authorities don’t facilitate re-issuance free of cost. You might need to pay some extra charges for re-issuance. RapidSSL has FREE re-issuance.  

If your certificate authority charges unreasonably high fees for re-issuing the SSL certificate, you can change your CA any time, even if your certificate is not expired and buy a new SSL, which by default comes with SHA-2. You can get RapidSSL certificate with latest SHA-256 bit algorithm for rates as low as $14.95/year with a $10,000 warranty.  

If you are a website visitor, you can make your browser ignore this error and continue using the site. (Although this isn’t recommended.) 

Save Up to 80% on SHA-2 SSL Certificates

We offer a wide-range of SHA-2 SSL certificates including DV, OV, EV, Wildcard, and Multi-domain SSL certificates.

Buy SSL Certificate, starting at $12.42/year