Rule from ssl under security category
Passmarked is made out of users just like you who helped supply some content. Click below to contribute to this rule. We need you.Add content to this rule
All certificates along the chain of issued/signed certificates are important to keep secure and make sure they are using the latest ciphers.
This error indicates a certificates in the chain is still using a SHA1 hashing cipher. In 2017, Google announced that they had [found a collision in SHA1(https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html). Which means these hash functions are no longer seen as secure.
While SHA1 is not as totally broken and open to preimage as MD5 is now; this does mean given enough time and progression of computing power attacks could later derive the SHA1 certificates from the signature itself.
To sum up this issue:
If an intermediate or end certificate has a weak signature, then it is possible that an attacker can generate two certificates with the same signature with different encoded information (e.g. looks-harmless.com and your-bank.com). The attacker can then ask a certificate authority to sign one of the certificate (looks-harmless.com) then copied the signature to the other certificate (your-bank.com).
The problem with SHA1 is that it has flaws that renders it feasible for an attacker with sufficient resource to find such collisions.
Look into issueing certificates from CA's using SHA256 (at a minimum) to hash their signatures. Many CA's offer both for compatability reasons.
Passmarked works best when you have an account. It allows you to keep a dashboard with saved data of the sites you have run through the system, we’ll alert you about important updates and you get access to the Passmarked Slack forum.Sign up to get started