-
phydroxide
What is the Poodle Attack?
The SSL 3.0 protocol is almost 20 years old, so whilst the vast majority of browsers support it, it is an insecure and outdated. Over the coming months Google, Microsoft and Firefox have all announced that they will remove support for it from their browsers, so there’s no time like the present to have SHA-2 SSL certificates explained.
Many browsers will retry failed connections with older protocol versions, including SSL 3.0.
This leaves your website susceptible to hacking because a targeted attack on your website can cause connection failures, which in turn can trigger the use of SSL 3.0.
This vulnerability means that hackers and malicious third parties can intercept the plaintext contents of secure connections on your website.
Should I switch?
SHA-2 is a cryptographic hashing algorithm designed to replace SHA-1.
Security experts around the world have repeatedly warned that SSL Certificates using SHA-1 technology run serious the risk of being hacked and having their user’s data compromised.
To ensure your website is secure and adhering to to industry best practices we recommend turning off SSL 3.0 and upgrading to SHA-2 SSL ASAP.
Important Dates to Remember
Over the next few months and years Microsoft, Google and Mozilla will begin to migrate their systems away from SHA-1 SSL to SHA-2 SSL.
As these dates loom ever closer, it’s time to make the switch.
November 2014
Google Chrome will display a warning on SHA-1 SSL certificates which expire at any point in 2017.
December 2014
Google Chrome will display a warning on SHA1-SSL certificates which expire at any point after 1st June 2016.
January 2015
Google Chrome will display a warning on SHA1-SSL certificates which expire at any time in 2016.
January 1st 2016
Microsoft will end trust for SHA-1 SSL Certificates which do not include a timestamp.
January 1st 2017
Microsoft and Mozilla will end trust for all SHA-1 SSL certificates.
SHA-1 to SHA-2 Migration Steps
Check your website supports SHA-2 Certificates
The first step is to make sure your website will support SHA-2 certificates. To get started check out compatibility guide below:
Browser Support
| Browser | Minimum Browser version |
|---|---|
| Chrome | 26+ |
| Firefox | 1.5+ |
| Internet Explorer | 6+ (with XP SP3+) |
| Konquerer | 3.5.6+ |
| Mozilla | 1.4+ |
| Netscape | 7.1+ |
| Opera | 9.0+ |
| Safari | 3+ |
Server Support
| Server | Minimum Server version |
|---|---|
| Amazon Web Services AWS (1) | Yes |
| Apache | 2.0.63+ w/ OpenSSL 0.9.8o+ |
| Barracuda Network Access Client | 3.5+ |
| Cisco ASA 5500 | 8.2.3.9+ for AnyConnect VPN Sessions or 8.4(2)+ for other functionalities |
| Citrix Receiver | Varies |
| CrushFTP | 7.1.0+ |
| F5 BIG-IP | 10.1.0+ |
| IBM Domino Server2 | 9.0+ (Bundled with HTTP 8.5+) |
| IBM HTTP Server2 | 8.5+ (Bundled with Domino 9+) |
| IBM z/OS | v1r10+ |
| Java based products | Java 1.4.2+ |
| Mozilla NSS Based Products | 3.8+ |
| OpenSSL based products | OpenSSL 0.9.8o+ |
| Oracle Wallet Manager | 11.2.0.1+ |
| Oracle Weblogic | 10.3.1+ |
| SonicOS (SonicWALL) | 5.9.0.0+ |
| WebSphere MQ | 7.0.1.4+ |
OS Support
| Operating System | SSL Certificate Minimum OS Version | Client Certificate Minimum OS Version |
|---|---|---|
| Android | 2.3+ | 2.3+ |
| Apple IOS | 3.0+ | 3.0+ |
| Blackberry | 5.0+ | 5.0+ |
| ChromeOS | Yes | Yes |
| Android | 2.3+ | 2.3+ |
| Mac OS X | 10.5+ | 10.5+ |
| Windows | XP SP3+ | XP SP3+ (Partial) |
| Windows Phone | 7+ | 7+ |
| Windows Server | 2003 SP2 +Hotfixes (Partial) | 2003 SP2 +Hotfixes (Partial) |
Detailed OS Compatibility
| Operating System | SSL Certificate (Client Side) | SSL Certificate (Server Side) | S/MIME | Code Signing |
|---|---|---|---|---|
| Mac OS X 10.5+ | Yes | N/A | Yes | Yes |
| Windows 8 | Yes | N/A | Yes | Yes |
| Windows 7 | Yes | N/A | Yes | Partial |
| Windows Vista | Yes | N/A | Yes | Partial |
| Windows XP SP34 | Yes | N/A | Partial | Partial |
| Windows Server 2012 & 2012 R2 | Yes | Yes | Yes | Yes |
| Windows Server 2008 & 2008 R2 | Yes | Yes | Yes | Partial |
| Windows Server 2003 w/ KB 938397 3, 4 | Yes | Yes | Partial | Partial |
| Windows Phone 8 | Yes | N/A | Yes | N/A |
| Windows Phone 9 | Yes | N/A | Yes | Yes |
Email Client Compatibility
| Email Client | Verify SHA-2 Signed E-Mail | Sign E-Mail with SHA-2 |
|---|---|---|
| IBM Notes 9+ | Yes | Yes |
| Mac Mail on OS X 10.5+ | Yes | Yes |
| Mozilla Thunderbird1.5+ | Yes | Yes |
| Outlook 2007+ on Vista+ | Yes | Yes |
Document Signing Compatibility
| Client | Verify SHA-2 Signed Document | Place SHA-2 Signature with SHA-2 certificate |
|---|---|---|
| Adobe Acrobat Pro 9+ | Yes | Yes |
| Adobe Reader 9+ | Yes | N/A |
| LibreOffice Writer 4.2 on Vista+ | Yes | Yes |
| Word 2007+ on Vista+ | Yes | Yes |
Code Signing Compatibility
| Operating System | Authenticode | Kernal Mode | VBA Macros: Office 2003, 2007, 2010 | VBA Macros: Office 2013 |
|---|---|---|---|---|
| Windows 8 | Yes | Yes | No | Yes |
| Windows 7 | Yes | No | No | Yes |
| Windows Vista | Yes | No | No | N/A |
| Windows XP SP3 | Yes | No | No | N/A |
SafeNet eToken / iKey Compatibility
| Etoken/Ikey | Place SHA-2 Signature |
|---|---|
| eToken 5205 | Yes |
| eToken 5200 | Yes |
| eToken 5105 | Yes |
| eToken 5100 | Yes |
| iKey 4000 | No |
Find all SHA-1 certificates and generate new CSRs for them
To identify the SHA-1 certificates in your network that need updating we recommend using a tool like CSR Generator to generate new CSRs for any certificates still using SHA-1. Alternatively, if you know what you are doing, you can generate a new CSR using OpenSSL in the command line.
Replace SHA-1 Certificates with SHA-2 Certificates
Once you have identified the SHA-1 certificates that need replacing you can either reissue the certificate, renew it or purchase a new one.
Still Not Sure What To Do?
If you would any help migrating away from SHA-2 SSL then feel free to drop one of the team a message. You can get us by emailing hello@cdnify.com or by calling us on 0161 820 6113.