(DC) SHA-2 versus SHA-1
Description
There was some confusion regarding the issuance of SSL certificates and many others types of certificates using the old deprecated SHA-1 signature algorithm and the newer and more secure signing algoritms based on SHA-2.
SHA-1 has been deprecated
As of January 1, 2016, no publicly trusted CA is allowed to issue a SHA-1 certificate. In addition, SHA-1 support was removed by most modern browsers and operating systems in early 2017. Any new certificate issued will only use the a SHA-2 algorithm for its signature.
All root and intermediate certificates found on: (DC) Certificate Chain (Root and Intermediate) are all using SHA384 a more secure hashing algorithm.
What do I still see SHA-1 Fingerprint?
There are many online tools that will allow you to decode a PEM encoded certificate and give you all the details about the certificate, including a property called "SHA-1 fingerprint". It is pretty universal to see this, as the SHA-1 hashing algorithm can be used universally to generate the cryptographic fingerprint (mathematically generated) for even the later and more secure hashing algorithms.
This DOES NOT mean that the certificate is using the outdated and deprecated SHA-1 signing algorithm, it is merely using the SHA-1 algorithm to calculate a identifying fingerprint of that certificate for display purposes, , which is a separate function from the actual certificate signature algorithm used to secure the data, and is considered a legacy practice even if the certificate is using a more secure standard like SHA-256.
How do I verify the signing algorithm?
You can use one of two methods:
The website:
Free SSL Checker Tool - Check SSL Certificate
Enter the URL of the website and it will return similar output:Or, if you have access to a Linux or Macintosh computer command line, you can use the following command to return the signing algorithm being used by a website.
If you are a testing a campus-only web server that can not be reached from the public-internet, you will have to use the command-line method to test it from a computer on the campus-network.
openssl s_client -connect www.yoursite.com:443 < /dev/null 2>/dev/null | openssl x509 -text -in /dev/stdin | grep "Signature Algorithm"This should return output similar to:
❯ openssl s_client -connect www.google.com:443 < /dev/null 2>/dev/null | openssl x509 -text -in /dev/stdin | grep "Signature Algorithm"
Signature Algorithm: sha256WithRSAEncryption
Signature Algorithm: sha256WithRSAEncryption
More Information and SHA and Signing Algorithms
From the website:
What is SHA? What is SHA used for? | Encryption Consulting
Different SHA Forms
When learning about SHA forms, several different types of SHA are referenced. Examples of SHA names used are SHA-1, SHA-2, SHA-256, SHA-512, SHA-224, and SHA-384, but in actuality there are only two types: SHA-1 and SHA-2. The other larger numbers, like SHA-256, are just versions of SHA-2 that note the bit lengths of the SHA-2.
SHA-1, introduced in 1993, was the original secure hashing algorithm, returning a 160-bit hash digest after hashing.
However, due to its short bit length, vulnerabilities like collision attacks surfaced. In cryptography, a collision occurs when two different inputs produce the same hash. Over time, it became easier to find these collisions, significantly undermining SHA-1’s security. A landmark event was the 2017 “SHAttered” attack conducted by Google and CWI researchers, which successfully demonstrated a collision in SHA-1, marking its obsolescence in secure applications. SHA-1 is now a deprecated algorithm, no longer used for hashing online.