One of the web’s most popular cryptographic algorithms, SHA-1, will cease to work on much of the web at the end of this month when major providers including Akamai, Google and Microsoft cease to recognize the encryption certificates.
SHA-1, which has facilitated secure connections between devices and web servers since the early 1990s, has been seen for some time as vulnerable to decryption and in need of replacement. Major vendors have been working to replace affected certificates with the more secure SHA-2 standard, and from the beginning of 2016 ceased to provide new SHA-1 certificates.
Akamai is the latest organization to take part, with plans to End-of-Life support for SHA-1 encryption by the end of this month. The vast majority of devices, browsers and operating systems released in the last several years are already compatible with SHA-2, and will continue to work without issue for the foreseeable future. We have also worked to ensure that any SHA-1 end points on Brightcove services have been updated.
As CDNs and other services sunset support for SHA-1 at the end of this year, it’s important to ensure that any clients or services in your ecosystem that connect to SSL endpoints (anything with an “https://” URL) can support SHA-2. Any relatively modern browsers, operating systems, and programming libraries will not have issues, but consider reviewing any older systems that may rely on outdated HTTP request libraries.
We also recommend ensuring that your list of supported end-user browsers and devices is up to date, and does not include any versions that are incompatible with SHA-2. An abbreviated list of supported devices is below, and a more detailed compatibility list is available.
Minimum versions for SHA-2 compatibility:
- Chrome 26+
- Firefox 1.5+
- Internet Explorer 6+ (With XP SP3+)
- Mozilla 1.4+
- Opera 9.0+
- Safari 3+ (Ships with OS X 10.5)
- Android 2.3+
- Apple iOS 3.0+
- Blackberry 5.0+
- MacOS 10.5+
- Microsoft Windows XP SP3+
- Windows Phone 7+