Upgrade Your Web Sites to SHA-256 SSL Certificates

Web sites still exist that either do not provide for https:// (secure http) traffic, or do, but with older SHA-1 certificates that do not implement the SHA-256 standard.  Here is why, if you own one of these sites, you should upgrade them now ---

The IT industry wants all web site traffic to be encrypted, and is employing different strategies to make that happen.  One is to increase the number of warning messages from web browsers about unencrypted or under-encrypted web pages.  Another is  Google's PageRank algorithm, which currently scores encrypted pages higher than unencrypted pages, meaning that if you want your web pages to be at the top of Google's search results, you must, at a minimum, provide good encryption on your site. Some browsers will even stop allowing the passing of unencrypted login credentials or sensitive information starting January 2017.

One of the recent security shifts in the IT industry is the transition from signing SSL certificates with the SHA-1 hashing algorithm to signing them with the more secure SHA-256 hashing algorithm. The  transition is being spurred by recent advances and the constantly lowering costs in executing cryptographic attacks on SHA-1, demonstrating that SHA-1 is becoming more susceptible to collision and pre-image attacks that organized groups of bad-faith characters can afford.

Therefore, in January of 2017, all web browsers will stop trusting all SHA-1-based certificates. At the same time, Microsoft Windows will no longer recognize certificates using the older SHA-1 certificates for any operations. This means if you run a server with SSL certificates, you should start upgrading your certificates to SHA-256 as soon as possible.

We encourage anyone who has servers that are not serving secure content, or that are using old SHA-1 SSL certificates, to secure their site with SHA-256 encrypted traffic as soon as possible.  As always, we can help assist you with this transition, should you need help.  For help or information, please contact the CNS Help Desk at https://www.cns.utexas.edu/help/ or help@cns.utexas.edu.

Written by Eric Rostetter, Senior System Administrator
Questions or comments? The best and easiest way to contact us is via the CNS Help Desk form.