It’s several weeks now since Google announced that they are phasing out support for certificates signed with the SHA-1 algorithm. The end result will be that, starting in Q1 2015, SHA-1 certificates with long expiry times will be treated as completely invalid by Chrome.
Unfortunately, upgrading to SHA-256 certificates will break Internet Explorer on pre-SP3 versions of XP in a horrible way. Users will get the IE Generic Page of Awfulness, making it look like your site is down.
You don’t even have a chance to tell them to upgrade their OS or use a different browser: serve a SHA-256 certificate and it’s game over. There isn’t even anything in your server logs to tell you it happened.
Possible solutions might be
- Serve dual certificates. Apache can do this already, but if you’re using nginx for your SSL then you’ll have to wait, possibly too long. And this could get expensive unless your issuer is lovely and will give you parallel certificates for no extra charge.
- Pity the fools. What XP users haven’t applied SP3?! Unfortunately (and anecdotally; evidence welcome) there are plenty of XP users who—for whatever reason—can’t or won’t upgrade. If you serve content to users in less developed countries, you might well find lots of users with less-than-official copies of XP who can’t apply SP3.
- Wait. But you’ll have to do it eventually.
- Tell your users to use a different browser. If you’re in touch with your users, you can tell them to use Chrome instead of IE: it works with the new certificates even on an SP2 machine.
Remember also that you might be using your certificates for things other than HTTPS. Globalsign has a handy matrix of what will break when you upgrade.
Leave a Reply