With Chrome version 39 which is in the process of being released (see footnote), Google has started issuing warnings if a website is using a certificate that has a signature algorithm that uses the older and less secure SHA1.

To find out which signature algorithm your secure website is using, in Chrome click on the green lock in the location bar. Then click on ‘connection’, then click on ‘certificate information’. You should see something like the image below. Note the ‘Signature algorithm’ is SHA-256 which is one of the SHA2 hashing functions. If you see SHA-1, you need to immediately reissue your certificate using SHA-2 and install the new version.

 

So what does it look like in the new version of Chrome when you’re using SHA-1? This is taken from a well known website that has not upgraded yet. Notice the lock with the warning triangle in the location bar. This is the main indication for a site visitor that something is awry. If you then click on the lock it has a further warning with explanation.

 

If you do have a website that is using SHA-1, don’t panic. Just sign into GoDaddy or whoever your SSL issuer is. Then go to manage your certificates and they’ll have an option there to reissue your certificate. You’ll need to resubmit your certificate signing request (CSR) but you can just resubmit your old CSR and it will work fine.

Then make sure that you’ve selected SHA-2 or SHA-256 or another SHA-2 compatible function. Then reissue the certificate. In GoDaddy’s case it takes about a minute for them to approve your request. If you have an EV certificate it may take longer.

Please share this with other site administrators to make sure that their customers aren’t getting warnings when visiting those all-important secure pages.

Footnote: Chrome 39 has officially been pushed into the “Stable” channel which is the release channel. It will be pushed out via auto-update to millions of customers in the coming days. The demo above was done with Chrome 40 beta, but what the user sees is identical.