SSL Certs and SHA-1 Weak Encryption

Not too long ago, some browsers took it upon themselves to deem certain sites "authoritatively weak" due to the use of SHA-1 ciphers in the certificate chain presented by the server.  While the reasoning behind this move is sound, it is still a headache for server admins who may not have had to renew their certs yet and still have old ciphers in use.  If you find yourself in this position, it is fairly easy to resolve.  If you're not sure if this applies to you, you can check your web site at shaaaaaaaaaaaaa.com.  The online tool will tell you if any of the certs in your certificate chain employ SHA-1 weak ciphers.

If you come up on the naughty list, there are two way to resolve the issue.  If it is close to your cert's expiration date, then renewing the cert will most likely fix the issue provided that your CA is using SHA-2 ciphers.  If they are not, then you will just get another cert issues with the same issue.  This is unlikely, as most CA's have been using SHA-2 ciphers for some time now.  If your expiration date is too far off to make renewing your cert feasible, simply request a reissue from your CA.

In either case, be sure to update appropriate revocation lists if necessary and most importantly, update your entire certificate chain for presentation to clients.

StartSSL - Can a free SSL cert be trusted?

During the course of renewing my SSL certs for another term, I happened upon an advertisement for a company called StartSSL who offers free SSL certificates.  My curiosity got the better of me and I had to click to find out more.

StartSSL offers several products ranging from extremely basic free certificates all the way to extended validation (EV) certs.

Who let the dogs out?

Here we go again - yet another "major" security vulnerability.  This time it is SSL 3.0 (why is anyone even using this anymore?) that has fallen victim.  Read more about the POODLE exploit at US-CERT.

Edit: The plot thickens!  This might be a good thing...

After reading a bit more on the subject, I realized that there might be a silver lining to this dark dog-shaped cloud after all.  All modern browsers support TLS and only fall back to SSL as a failsafe, so disabling SSL should not present an issue.  Notice that I said modern.  How many web developers out there consider IE6 and its nearly fossilized users to be thorn in their side?  Yes, there are some entities that insist on maintaining compatibility with this dinosaur of a browser.  Guess what IE6 does not support?  You guessed it... TLS!  What better reason to justify discontinuing support for IE6?

sed 's/WINDOWS XP/INTERNET EXPLORER 6/'