Security Update:SHA-1 SSLs Stopped Being Trusted by Google Chrome
Date and Time
SHA-1 SSL Users
Recently IT began receiving complaints from UCSF InCommon (Comodo) users that their SSLs suddenly stopped being recognized, primarily by Chrome. In some cases, individuals accessing the website may see an error message:
"The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it."
For examples of other error messages refer to http://security.stackexchange.com/questions/52834/what-exactly-does-it-m....
WHAT'S THE PROBLEM?
As IT announced in October 2014 Google Chrome started the process of phasing out SHA-1 SSLs beginning with Chrome 39 with an aggressive schedule to completely regard SHA-1 SSLs as affirmatively insecure.
For the full announcement visit: IMPORTANT (Time Sensitive) Message For All UCSF InCommon (Comodo) SSL Users at https://it.ucsf.edu/status/2014-10-06/important-time-sensitive-message-a....
WHAT DO YOU NEED TO DO?
Web site/Service owners using HTTPS/SSL Certificates should take inventory of their certificates and plan on migrating affected SHA-1 SSL certificates to SHA-2 SSL.
1. Inventory your existing certificates
- Refer to https://wiki.library.ucsf.edu/display/ITSSecurityPolicy/UCSF+SHA-1+SSLs for a list of all UCSF InCommon (Comodo) SHA-1 SSLs.
- To check if your site is affected, and if so, which warning will occur and approximately when use the SHA-1 and Google Chrome Checker at http://sha1affected.com/.
- Your website must be available outside of the UCSF network in order for this tool provide an accurate report.
2. Replace SHA1 certificates
- Start with those used on your most important sites and those that expire after 2016. Those will be the worst affected by the proposed changes and might stop working in 2017. Then work your way back to replace the remaining certificates.
- Refer to InCommon – How to Request a Certificate at https://it.ucsf.edu/services/ssl-certificates/additional/incommon-how-re....
- SHA-1 and Google Chrome Checker at http://sha1affected.com/
- What exactly does it mean when Chrome reports a certificate 'does not have public audit records'? - http://security.stackexchange.com/questions/52834/what-exactly-does-it-m...
- Chrome Gradually Sunsetting SHA-1 - http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html
- Chromium Projects TLS / SSL - https://www.chromium.org/Home/chromium-security/education/tls