Wednesday, October 15, 2014

Siebel public facing applications SSL SHA1 – SHA 2 encryption message changes

 

Microsoft and Google announced SHA-1 deprecation plans that may affect websites with SHA-1 certificates expiring as early as after December 31, 2015.

As per oracle there is no plan to support SHA-2 before 2016 that is Innovation pack 2015.

According to Google’s blog on “Gradually Sunsetting SHA-1”, Chrome version 39 and later will display visual security indicators on sites with SHA-1 SSL certificates with validity beyond January 1, 2016. The production release of Chrome 39 is expected to be in November, 2014. The sites will be treated with one of the following indicators: “secure, but with minor errors” (lock with yellow triangle), “neutral, lacking security” (blank page icon) and “affirmative insecure” (lock with a red X). In order to prevent online users on Chrome version 39 and later from experiencing these indicators, SHA-1 SSL certificates expiring after December 31, 2015 must be replaced with SHA-256 (SHA-2) certificates.

Microsoft’s SHA-1 deprecation plan differs in the activation time and browser behavior. Microsoft’s security advisory on “Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program” informed us that Windows will cease accepting SHA-1 SSL certificates on January 1, 2017. To continue to work with Microsoft platforms, all SHA-1 SSL certificates issued before or after this announcement must be replaced with a SHA-2 equivalent by January 1, 2017.

 

https://www.symantec.com/page.jsp?id=sha2-transition

http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html

https://technet.microsoft.com/library/security/2880823