Security Update:IMPORTANT (Time Sensitive) Message For All UCSF InCommon (Comodo) SSL Users
Date and Time
Security Update for SSLs
UCSF InCommon SHA-1 SSL Users
Effective September 22, 2014 InCommon (Comodo) began issuing SHA-2 SSLs with a maximum 3 year term. SHA-1 signed SSL certificates are still available but limited to one (1) year in length.
InCommon (Comodo) expedited the issuance of SHA-2 SSL and term limits for SHA-1, in part, due to Google's accelerated sunset of SHA-1 signed certificates beginning November 2014.
The SHA family of hashing algorithms were developed by the National Institute of Standards and Technology (NIST) and are used by certificate authorities (CAs) like Comodo when digitally signing certificates that they subsequently issue to end entities.
The most popular of these hashing algorithms today is SHA-1, which was widely adopted by Certificate Authorities as the successor to the MD5 algorithm because it represented a huge advance in cryptographic security. Now using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.
In November 2013, Microsoft announced a policy change to the Microsoft Root Certificate Program. The new policy will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for the purposes of SSL and code signing after January 1, 2016. It was anticipated that other major vendors such as Mozilla, Google, Apple and Opera would follow suit, which they have but Google accelerated the time frame.
HOW DOES THIS AFFECT YOU?
Web site/Service owners using HTTPS/SSL Certificates should take inventory of their certificates and plan on migrating affected SHA-1 SSL certificates to SHA-2 SSL. Please refer to https://wiki.library.ucsf.edu/display/ITSSecurityPolicy/UCSF+SHA-1+SSLs for a list of all UCSF InCommon (Comodo) SHA-1 SSLs.
A. Software and Hardware that support SHA-2
Most browsers, platforms, mail clients, and mobile devices already support SHA-2. However, some older operating systems such as Windows XP pre-SP3 do not support SHA-2 encryption. Refer to https://www.digicert.com/sha-2-compatibility.htm for a list of software and hardware that are compatible with SHA-2 SSLs.
B. SHA-1 InCommon (Comodo) SSL Certificates
1. SHA-1 Certificates (expiring before January 1, 2016 and need to be replaced/reissued)
- IT Security will automatically select a SHA-2 SSL with a 3-year expiration date.
- If your system does not support SHA-2, please note in your request you need a SHA-1 SSL.
- IT Security will issue a SHA-1 SSL with a 1-year (or less) expiration date.
2. SHA-1 Certificates (expiring after January 1, 2016)
- You should submit a request for a new SSL - InCommon - How to Request a Certificate -https://wiki.library.ucsf.edu/display/ITSSecurityPolicy/InCommon+-+How+t...
C. Working with InCommon (Comodo) SHA-2 SSLs
The issuer chain for SHA-2 differs from SHA-1. The following are the Certificates present on the SHA-2 Certificate chain.
Comodo recommends you update the Certificate chain on your server to make the SHA-2 certificates are trusted.
HOW THIS MAY AFFECT YOUR USERS
- Windows and Internet Explorer, newer versions of Mac OS X, Firefox, Chrome, Opera, Safari, Java and Adobe Acrobat/Reader all support SHA-2.
- Your websites’ users may experience negative visual security indicators if the SHA-1 certificates are valid beyond December 31, 2015.
- Google Chrome users will begin seeing these warning beginning November 2014.
- Additionally, if a user is on Windows, they will not be able to access sites with SHA-1 certificates after January 1, 2017.
Site Security Level
Sites with certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain
Sites with end-entity certificates that expire between 1 June 2016 to 31 December 2016 (inclusive), and which include a SHA-1-based signature as part of the certificate chain
Sites with end-entity certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain
Sites with end-entity certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain.
- Comodo - Transitioning your certificates to the stronger SHA-2 hashing algorithm - https://www.comodo.com/e-commerce/SHA-2-transition.php
- Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - https://technet.microsoft.com/en-us/library/security/2880823.aspx
- Chrome Gradually Sunsetting SHA-1 - http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html