How is Hashing Used With SSL? <\/h3>\n\n\n\n
The SHA algorithm is used by SSL\/TLS certificate authorities (CA) to sign the digital certificates. <\/p>\n\n\n\n
When you buy an SSL certificate, the certificate authority puts the digital signature on the SSL certificate and hashes it using the SHA algorithm. The unique hash value is proof that the SSL certificate is exactly the same as it was at the time of issuance, and the information it contains has not been modified or reproduced. If an attacker tries to manipulate or reproduce the SSL certificate, the hash value of its digital signature changes. The different hash value alerts browsers and operating systems to the problem, and they show an error warning to users. <\/p>\n\n\n\n
The Transition From SHA-1 to SHA-2 <\/h3>\n\n\n\n
SHA-1, which is\u00a0a\u00a0member of the SHA hashing algorithm family, was first introduced in 1993. It was\u00a0the\u00a0primary algorithm for signing digital certificates\u00a0and certificate revocation lists. In 2001, SHA-2, the upgraded version of SHA-1\u00a0was\u00a0introduced with longer and stronger encryption. SHA2 is a family of algorithms that uses 224, 256, 284, or 512 bit long key for the purpose of encryption. It was voluntary to use SHA-2 for more than a decade after its introduction, and most of the CAs chose to stay in their comfort zone by using SHA-1.\u00a0\u00a0<\/p>\n\n\n\n
- Starting in 2005, a couple of institutes started to claim collisions were possible with SHA-1.<\/li>
- During 2011 to 2019, there was a transition from SHA-1 to SHA-2. <\/li>
- In 2014, Google declared that starting in 2017, Chrome 39, 40, and 41 would show an error message for all SHA-1 TLS\/SSL certificates expiring on or after 1st<\/sup> January 2017. After that, all the major browsers gradually declared the same policies to boycott SHA-1. <\/li>
- In 2015, thousands of SHA-1 SSL certificates were revoked and re-issued with SHA-2. <\/li>
- December 31, 2015 was the deadline to stop signing SSL certificates with SHA-1. These announcements put a tight leash on certificate authorities to sign digital certificates using SHA-1 and made them shift to SHA-2 SSL. <\/li>
- SHA-1 SSL\u2019s golden era officially ended when in 2017, Google performed an actual SHA-1 collision attack showing that two different PDF files have produced the same hash value. <\/li>
- In January 2019 all Google Chrome versions ceased supporting digital certificate signed with SHA-1. <\/li><\/ul>\n\n\n\n
Why Browsers Prefer SHA-2 SSL over SHA-1 <\/h3>\n\n\n\n
But after all this fuss, the basic question is: what makes SHA-2 more secure and trustworthy than SHA-1? SHA-1 uses a 160-bit length signature. SHA-2 produces hashes of different length, known as \u2018SHA-2 family of hash functions\u2019 – among them, 265-bit is the most popular one. The other SHA-2 hash functions include SHA-224*, SHA-256, SHA-284, SHA-512, SHA-512\/224, SHA-512\/256. The number written after SHA is the length of the bit values. The longer the signature length, the harder it is to decrypt; and hence more secure it is. (*Note: SHA-224 is not approved to sign publicly trusted certificates.) <\/p>\n\n\n\n
Is SHA-2 SSL going to stay in the market forever? When the hashing algorithm is supposed to produce unique hash value, there is an upper limit for the number of combinations it can produce. For example, SHA-256 can produce 2256 unique combination of hashes. As far as reaching 2256 unique hash values is concerned, it’s a huge number and it’s not going to happen anytime sooner. So, for now, certificates signed with SHA-2 are in a safe zone. <\/p>\n\n\n\n
What If My SSL Certificate Is Signed With SHA-1? <\/h3>\n\n\n\n
With all certificates signed with SHA-1, browsers will show a security warning to the website visitors with an error message such as NET:: ERR_CERT_WEAK_SIGNATURE_ALGORITHM. Below is a screenshot of Google Chrome’s warning page. <\/p>\n\n\n\n
![\"NET::](\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\")
<\/figure>\n\n\n\nIf you are a website owner\/webmaster, you must ask your certificate authority to re-issue the SSL with the latest SHA-2 algorithm. Keep in mind-many certificate authorities don\u2019t facilitate re-issuance free of cost. You might need to pay some extra charges for re-issuance. RapidSSL has FREE re-issuance. <\/p>\n\n\n\n
If your certificate authority charges unreasonably high fees for re-issuing the SSL certificate, you can change your CA any time, even if your certificate is not expired and buy a new SSL, which by default comes with SHA-2. You can get RapidSSL certificate with latest SHA-256 bit algorithm for rates as low as $14.95\/year with a $10,000 warranty. <\/p>\n\n\n\n
If you are a website visitor, you can make your browser ignore this error and continue using the site. (Although this isn\u2019t recommended.) <\/p>\n\n\n\n
Save Up to 80% on SHA-2 SSL Certificates<\/h2>\n
We offer a wide-range of SHA-2 SSL certificates including DV, OV, EV, Wildcard, and Multi-domain SSL certificates.<\/p>\n
![\"NET::](\"https:\/\/www.rapidsslonline.com\/ssl\/wp-content\/uploads\/2019\/07\/image.png\")
<\/figure>\n\n\n\n