Poodle Attack: SHA-2 SSL Certificates Explained

SHA-2 SSL Certificates explained

What is the Poodle Attack?

The SSL 3.0 protocol is almost 20 years old, so whilst the vast majority of browsers support it, it is an insecure and outdated. Over the coming months Google, Microsoft and Firefox have all announced that they will remove support for it from their browsers, so there’s no time like the present to have SHA-2 SSL certificates explained.

Many browsers will retry failed connections with older protocol versions, including SSL 3.0.
This leaves your website susceptible to hacking because a targeted attack on your website can cause connection failures, which in turn can trigger the use of SSL 3.0.

This vulnerability means that hackers and malicious third parties can intercept the plaintext contents of secure connections on your website.

Should I switch?

SHA-2 is a cryptographic hashing algorithm designed to replace SHA-1.

Security experts around the world have repeatedly warned that SSL Certificates using SHA-1 technology run serious the risk of being hacked and having their user’s data compromised.

To ensure your website is secure and adhering to to industry best practices we recommend turning off SSL 3.0 and upgrading to SHA-2 SSL ASAP.

Important Dates to Remember

Over the next few months and years Microsoft, Google and Mozilla will begin to migrate their systems away from SHA-1 SSL to SHA-2 SSL.

As these dates loom ever closer, it’s time to make the switch.

November 2014
Google Chrome will display a warning on SHA-1 SSL certificates which expire at any point in 2017.

December 2014
Google Chrome will display a warning on SHA1-SSL certificates which expire at any point after 1st June 2016.

January 2015
Google Chrome will display a warning on SHA1-SSL certificates which expire at any time in 2016.

January 1st 2016
Microsoft will end trust for SHA-1 SSL Certificates which do not include a timestamp.

January 1st 2017
Microsoft and Mozilla will end trust for all SHA-1 SSL certificates.

SHA-1 to SHA-2 Migration Steps

Check your website supports SHA-2 Certificates
The first step is to make sure your website will support SHA-2 certificates. To get started check out compatibility guide below:

Browser Support

Browser Minimum Browser version
Chrome 26+
Firefox 1.5+
Internet Explorer 6+ (with XP SP3+)
Konquerer 3.5.6+
Mozilla 1.4+
Netscape 7.1+
Opera 9.0+
Safari 3+

Server Support

Server Minimum Server version
Amazon Web Services AWS (1) Yes
Apache 2.0.63+ w/ OpenSSL 0.9.8o+
Barracuda Network Access Client 3.5+
Cisco ASA 5500 for AnyConnect VPN Sessions or 8.4(2)+ for other functionalities
Citrix Receiver Varies
CrushFTP 7.1.0+
F5 BIG-IP 10.1.0+
IBM Domino Server2 9.0+ (Bundled with HTTP 8.5+)
IBM HTTP Server2 8.5+ (Bundled with Domino 9+)
IBM z/OS v1r10+
Java based products Java 1.4.2+
Mozilla NSS Based Products 3.8+
OpenSSL based products OpenSSL 0.9.8o+
Oracle Wallet Manager
Oracle Weblogic 10.3.1+
SonicOS (SonicWALL)
WebSphere MQ

OS Support

Operating System SSL Certificate Minimum OS Version Client Certificate Minimum OS Version
Android 2.3+ 2.3+
Apple IOS 3.0+ 3.0+
Blackberry 5.0+ 5.0+
ChromeOS Yes Yes
Android 2.3+ 2.3+
Mac OS X 10.5+ 10.5+
Windows XP SP3+ XP SP3+ (Partial)
Windows Phone 7+ 7+
Windows Server 2003 SP2 +Hotfixes (Partial) 2003 SP2 +Hotfixes (Partial)

Detailed OS Compatibility

Operating System SSL Certificate (Client Side) SSL Certificate (Server Side) S/MIME Code Signing
Mac OS X 10.5+ Yes N/A Yes Yes
Windows 8 Yes N/A Yes Yes
Windows 7 Yes N/A Yes Partial
Windows Vista Yes N/A Yes Partial
Windows XP SP34 Yes N/A Partial Partial
Windows Server 2012 & 2012 R2 Yes Yes Yes Yes
Windows Server 2008 & 2008 R2 Yes Yes Yes Partial
Windows Server 2003 w/ KB 938397 3, 4 Yes Yes Partial Partial
Windows Phone 8 Yes N/A Yes N/A
Windows Phone 9 Yes N/A Yes Yes

Email Client Compatibility

Email Client Verify SHA-2 Signed E-Mail Sign E-Mail with SHA-2
IBM Notes 9+ Yes Yes
Mac Mail on OS X 10.5+ Yes Yes
Mozilla Thunderbird1.5+ Yes Yes
Outlook 2007+ on Vista+ Yes Yes

Document Signing Compatibility

Client Verify SHA-2 Signed Document Place SHA-2 Signature with SHA-2 certificate
Adobe Acrobat Pro 9+ Yes Yes
Adobe Reader 9+ Yes N/A
LibreOffice Writer 4.2 on Vista+ Yes Yes
Word 2007+ on Vista+ Yes Yes

Code Signing Compatibility

Operating System Authenticode Kernal Mode VBA Macros: Office 2003, 2007, 2010 VBA Macros: Office 2013
Windows 8 Yes Yes No Yes
Windows 7 Yes No No Yes
Windows Vista Yes No No N/A
Windows XP SP3 Yes No No N/A

SafeNet eToken / iKey Compatibility

Etoken/Ikey Place SHA-2 Signature
eToken 5205 Yes
eToken 5200 Yes
eToken 5105 Yes
eToken 5100 Yes
iKey 4000 No

Find all SHA-1 certificates and generate new CSRs for them
To identify the SHA-1 certificates in your network that need updating we recommend using a tool like CSR Generator to generate new CSRs for any certificates still using SHA-1. Alternatively, if you know what you are doing, you can generate a new CSR using OpenSSL in the command line.

Replace SHA-1 Certificates with SHA-2 Certificates
Once you have identified the SHA-1 certificates that need replacing you can either reissue the certificate, renew it or purchase a new one.

Still Not Sure What To Do?

If you would any help migrating away from SHA-2 SSL then feel free to drop one of the team a message. You can get us by emailing hello@cdnify.com or by calling us on 0161 820 6113.

Enjoyed this blog post?

  • phydroxide

    What are you asserting is the association between SHA and POODLE?