Jump to content
alan

SEO and SSL and SHA-1! Oh my!

Recommended Posts

title inspiration

TL;DR

Unless a last bit of checking I am doing over the next short while concludes otherwise, I am going to convert all my sites to run from httpS connections <del>and ensure all the certificates I use are of type SHA-2 not SHA-1</del><ins>and later on ensure all the certificates I use are of type SHA-2 not SHA-1</ins>

Dull detail

I amy be wrong about a little or a lot of this stuff so please check my facts before you rush off and do stuff, but, I've learnt some new stuff over the last little while and thought I'd share with PW friends in case it's of any help.

The following is just a bunch of things that I believe are correct and that may be helpful, sorry I had no time to write it up into a nice article/post:

x
Edited by alanfluff
  • Like 3

Share this post


Link to post
Share on other sites

Yep, the certificate authorities are rubbing their hands in glee.

  • Like 2

Share this post


Link to post
Share on other sites

Who is signing SHA2 certificates? We mostly use namecheap.com and even the ones bought a month ago are SHA1 according to the tool posted :/

  • Like 1

Share this post


Link to post
Share on other sites

You can get SHA-2 from namecheap I believe, I think you need to ask though, not tried yet tho am about to today probably.

Share this post


Link to post
Share on other sites

Alan, this probably won't affect you or anyone else here who's running https sites but I'll post it anyway...

Please makes sure that there aren't any issues with your visitors' browser support for SSL certs that use SHA-2. If you have a whole bunch of visitors using older versions of IE then you may be cutting them off if you do go down this route. (I know that another take on this would be "Encouraging them to switch".)  I believe that Mozilla had to rapidly switch back to SHA-1 after switching to SHA-2 recently as many people who install Windows then visit Mozilla's site to get the latest version of Firefox and download it. Of course, when Mozilla switched to SHA-2 some proportion of their visitors (I think it was a fair few percent but can't remember the figure) were finding that they couldn't download Firefox without certificate warnings & ironically this put up a barrier to their switching to a better browser - so Mozilla rapidly reverted the change.

What I like about the story are that folks were using IE just once, as a bootstrap, to load a better browser & that Mozilla thought that it was more important to allow them to do that easily than to improve their own site's SSL hash algorithm.

  • Like 2

Share this post


Link to post
Share on other sites

Ahh.., thanks very much Steve for expanding my understanding. So this (switch to SHA-2) is another opportunity to get certificate warnings—my head hurts o_O I was hoping I'd stumbled on a way to 'just go SSL' ;)

For me, new to implementing SSL it is confusing, especially when I read here

HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome’s user interface.

which I mistakenly took as a cue that the cure-all was just to go SHA-2, clearly it's not :/

I don't have any sites with SSLs longer than 12 months so my quoted potential problem is an non issue for me but presumably I (us web peeps who use 1yr certificates) need in 2016(?) to buy SHA-2s for fear that they will last into 2017 and at that time get the same sort of warning you pointed out can happen today if, ironically, one uses SHA-2 certificates?

- - -

And grinned re your bootstrap observation there, I always take a small delight in launching IE once per VM build just to go download Chrome ;)

Share this post


Link to post
Share on other sites

@alan

Yeah, it's a mess. I found a link to the episode of Security Now that I listened to about this. It's here (hashing in SSL certs part of the show starts about 48 mins in) and there is a transcript for the show over here.

Edited to add: If it's any consolation, I currently don't plan to switch to a better cert till the deadline is almost upon us.

Edited by netcarver
  • Like 1

Share this post


Link to post
Share on other sites

@Joss, thanks for the link, will read :)

@steve, thanks for those resources! And it IS of consolation to read your comment about your planned switch, I like a good rule-of-thumb ^_^

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Mike Rockett
      Docs & Download: rockettpw/markup-sitemap
      Modules Directory: MarkupSitemap
      Composer: rockett/sitemap
      MarkupSitemap is essentially an upgrade to MarkupSitemapXML by Pete. It adds multi-language support using the built-in LanguageSupportPageNames. Where multi-language pages are available, they are added to the sitemap by means of an alternate link in that page's <url>. Support for listing images in the sitemap on a page-by-page basis and using a sitemap stylesheet are also added.
      Example when using the built-in multi-language profile:
      <url> <loc>http://domain.local/about/</loc> <lastmod>2017-08-27T16:16:32+02:00</lastmod> <xhtml:link rel="alternate" hreflang="en" href="http://domain.local/en/about/"/> <xhtml:link rel="alternate" hreflang="de" href="http://domain.local/de/uber/"/> <xhtml:link rel="alternate" hreflang="fi" href="http://domain.local/fi/tietoja/"/> </url> It also uses a locally maintained fork of a sitemap package by Matthew Davies that assists in automating the process.
      The doesn't use the same sitemap_ignore field available in MarkupSitemapXML. Rather, it renders sitemap options fields in a Page's Settings tab. One of the fields is for excluding a Page from the sitemap, and another is for excluding its children. You can assign which templates get these config fields in the module's configuration (much like you would with MarkupSEO).
      Note that the two exclusion options are mutually exclusive at this point as there may be cases where you don't want to show a parent page, but only its children. Whilst unorthodox, I'm leaving the flexibility there. (The home page cannot be excluded from the sitemap, so the applicable exclusion fields won't be available there.)
      As of December 2017, you can also exclude templates from sitemap access altogether, whilst retaining their settings if previously configured.
      Sitemap also allows you to include images for each page at the template level, and you can disable image output at the page level.
      The module allows you to set the priority on a per-page basis (it's optional and will not be included if not set).
      Lastly, a stylesheet option has also been added. You can use the default one (enabled by default), or set your own.
      Note that if the module is uninstalled, any saved data on a per-page basis is removed. The same thing happens for a specific page when it is deleted after having been trashed.
          
    • By franciccio-ITALIANO
      Hi, we can choose the "headline" and "title" and "summery" in panel page of processwire, but we can't write the "metadecriptions" and "tags".
       I can write mdescropt and tags in templates, but I've same templates for many articles... so, how I can change mdescription and tags?

      Thanks...
    • By Leftfield
      Hi All 🙂

      How to append canonical URL to head from certain templates?

      Thanks!!!
    • By Marco Angeli
      Hi there,
      I added a ssl certificate to my site and I'd like to redirect every single http url to its new https version
      So I added this code in the .htacces file, after the RewriteEngine On :
      Redirect 301 /about https://www.mysite.it/about
      Unfortunately this is now working: I get the "too many redirects" error.
      The following code works, but it's a bulk redirection to the home page, something I don't want for SEO reasons (https://moz.com/blog/save-your-website-with-redirects😞
      RewriteCond %{HTTP_HOST} mysite\.it [NC]
      RewriteCond %{SERVER_PORT} 80
      RewriteRule ^(.*)$ https://www.mysite.it/$1 [R,L]
      Any suggestions?
    • By chrizz
      hey there
      I guess a lot of you have already heard of the hreflang attribute which tells search engines which URL they should list on their result pages. For some of my projects I build this manually but now I am wondering if there's need to add this as a module to PW modules directory. 
      How do you deal with the hreflang thingy? Would you you be happy if you can use a module for this or do you have concerns that using a module maybe does not cover your current use cases?
      Cheers,
      Chris
       
       
       
       
×
×
  • Create New...