Does your browser support SHA-2 certificates?

We recently blogged about how the SHA-1 hash algorithm is now considered to be broken.

Traditionally SHA-1 has been used in SSL certificates, which are how websites identify themselves to web browsers such as Chrome, Firefox and Internet Explorer. Certificates are digitally signed by a well-known certificate authority (CA) using a hash algorithm such as SHA-1 or the more recent and cryptographically stronger SHA-2.

The idea is that the website sends the certificate to your browser when you first connect to it, and your browser can easily verify that the certificate was signed by a CA.

This means when you visit Amazon to purchase goods or your bank's website to perform financial transactions, you can be confident the site is genuine, rather than a fake site designed to steal your credit card or banking details. So certificates are a critical part of the web's security infrastructure.

Unfortunately, the integrity of this process is compromised if SHA-1 is broken. This means it may be possible - although still very difficult - for attackers to forge SSL certificates for well-known websites. The recommendation is to upgrade to SHA-2 certificates, which should be safe for years to come. CAs are only supplying SHA-2 certificates now, but there are still many SHA-1 certificates out there and they are valid in most browsers until 2016.

Most of the major browsers now support SHA-2 certificates, and many provide a warning if a SHA-1 certificate has been supplied by a website. It is important to upgrade to the latest browser version to ensure that SHA-2 support is there.

If you aren't sure if your browser supports SHA-2 certificates, you can check by visiting this test site.

Posted by John Faulds in