Jump to content

SEO and SSL and SHA-1! Oh my!


alan
 Share

Recommended Posts

title inspiration

TL;DR

Unless a last bit of checking I am doing over the next short while concludes otherwise, I am going to convert all my sites to run from httpS connections <del>and ensure all the certificates I use are of type SHA-2 not SHA-1</del><ins>and later on ensure all the certificates I use are of type SHA-2 not SHA-1</ins>

Dull detail

I amy be wrong about a little or a lot of this stuff so please check my facts before you rush off and do stuff, but, I've learnt some new stuff over the last little while and thought I'd share with PW friends in case it's of any help.

The following is just a bunch of things that I believe are correct and that may be helpful, sorry I had no time to write it up into a nice article/post:

x
Edited by alanfluff
  • Like 3
Link to comment
Share on other sites

Alan, this probably won't affect you or anyone else here who's running https sites but I'll post it anyway...

Please makes sure that there aren't any issues with your visitors' browser support for SSL certs that use SHA-2. If you have a whole bunch of visitors using older versions of IE then you may be cutting them off if you do go down this route. (I know that another take on this would be "Encouraging them to switch".)  I believe that Mozilla had to rapidly switch back to SHA-1 after switching to SHA-2 recently as many people who install Windows then visit Mozilla's site to get the latest version of Firefox and download it. Of course, when Mozilla switched to SHA-2 some proportion of their visitors (I think it was a fair few percent but can't remember the figure) were finding that they couldn't download Firefox without certificate warnings & ironically this put up a barrier to their switching to a better browser - so Mozilla rapidly reverted the change.

What I like about the story are that folks were using IE just once, as a bootstrap, to load a better browser & that Mozilla thought that it was more important to allow them to do that easily than to improve their own site's SSL hash algorithm.

  • Like 2
Link to comment
Share on other sites

Ahh.., thanks very much Steve for expanding my understanding. So this (switch to SHA-2) is another opportunity to get certificate warnings—my head hurts o_O I was hoping I'd stumbled on a way to 'just go SSL' ;)

For me, new to implementing SSL it is confusing, especially when I read here

HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome’s user interface.

which I mistakenly took as a cue that the cure-all was just to go SHA-2, clearly it's not :/

I don't have any sites with SSLs longer than 12 months so my quoted potential problem is an non issue for me but presumably I (us web peeps who use 1yr certificates) need in 2016(?) to buy SHA-2s for fear that they will last into 2017 and at that time get the same sort of warning you pointed out can happen today if, ironically, one uses SHA-2 certificates?

- - -

And grinned re your bootstrap observation there, I always take a small delight in launching IE once per VM build just to go download Chrome ;)

Link to comment
Share on other sites

@alan

Yeah, it's a mess. I found a link to the episode of Security Now that I listened to about this. It's here (hashing in SSL certs part of the show starts about 48 mins in) and there is a transcript for the show over here.

Edited to add: If it's any consolation, I currently don't plan to switch to a better cert till the deadline is almost upon us.

Edited by netcarver
  • Like 1
Link to comment
Share on other sites

  • 2 weeks later...
 Share

×
×
  • Create New...