Last updated: 14/01/2016
SHA is a mathematical algorithm used in SSL encryption to verify the validity of the certificate's signature. Different iterations of SHA have seen the light: SHA-0, now obsolete and no longer in use, SHA-1, used by the majority of today's certificates, SHA-2, a more secure successor, and SHA-3, introduced in 2012.
The SHA-2 algorithm makes use of four possible key sizes: SHA-224, SHA-256, SHA-384 and SHA-512. SHA-256 is the most widely adopted version by browsers and Certificate Authorities alike, and the terms SHA-2 and SHA-256 are often used interchangeably.
Computing power grows exponentially, thus the risk increases that a file could be generated that forms the same SHA-1 checksum as another file. This phenomenon, known as collision, would allow an attacker to circumvent SSL security and to issue false certificates. That's why Microsoft and Google, followed by other browser developers, have decided to limit the validity of certificates signed with SHA-1 progressively.
Google published the following policy for its Chrome browser:
Certificates signed with SHA-1 expiring on or after January 1st, 2017, will be visually flagged in the browser as secure, but with minor errors. A yellow warning triangle will be shown in the browser's address bar to signify this:
Certificates with an SHA-1 signature expiring between January 1st, 2016 and December 31 will be flagged as secure, but with minor errors.
SHA-1 certificates with an expiry date from January 1st, 2017 onwards will be flagged as neutral, without security, just like unsecured http:// sites:
SHA-1 SSL certificates with an expiry date before January 1st, 2017 will still trigger the warning triangle.
Certificates signed with SHA-1 expiring after January 1st, 2017 will be flagged as insecure, in a similar way to sites with an expired or invalid certificate:
Certificate Authorities will cease to issue SHA-1 certificates after December 31, 2014. New certificates requested after that date will be signed with an SHA-256 signature exclusively.
If you're up to a renewal of your certificate, you should pay attention that you request a SHA-256 signature at renewal. To guarantee compatibility with older browsers, existing certificates can still be re-issued with an SHA-1 hash. In case you have doubts about the compatibility of your equipment with SHA-256, a list of compatible device can be found on our page on « SHA-256 compatibility ».
If your current SSL certificate has an expiry date set in 2016 or 2017, visitors to your website may encounter security warnings. In that case, your best course is to ask for a re-issue of your certificate in SHA-256. If you ordered your certificate through Kinamo, we'll re-issue it for free.
Nothing's lost even if you're not yet an SSL customer at Kinamo. Many Certificate Authorities offer a competitive deal when switching away from a competitor, and even allow you to transfer your remaining certificate validity onto a new certificate, sometimes even with an extra 30 days validity for free.