On October 8, 2015, a team of international cryptography researchers warned of a significantly increased risk in using SHA-1 certificates, and recommended that administrators accelerate their migration to SHA-2 certificates.
The risk is that, with enough computing power, an attacker can craft a fake certificate that in all key respects appears to be signed by a public Certification Authority (it cryptographically chains up to a Certification Authority’s root certificate). This doesn’t mean that websites is suddenly insecure, but it certainly is a wake-up call.
The current policy of most browsers stipulates that they will completely reject SHA-1 TLS certificates on January 1, 2017. However, in light of these new findings, it’s highly possible the deadline will be accelerated. If your customers are still using SHA-1 certificates, you should accelerate their plans to replace them with SHA-2 certificates to avoid security warnings and to ensure visitors to their site are not blocked.
Action Required: We urge you to revoke and replace SHA-1 certificates on behalf of your customers with SHA-2 certificates as soon as possible based on news from recent research. Partners with impacted certificates were provided details in a previous communication.
Here are the resources to help you understand the issue and to reissue their certificate, quickly and easily:
CA/Browser Forum notice about SHA-1
For Symantec certificates click on this link – INFO2848
For GeoTrust certificates click on this link –INFO2851
For Thawte certificates click on this link –INFO2849
If you have any questions or need assistance, please contact us or learn more on our support page or blog.
Thank you,
Symantec Website Security Solutions