Why Signature Algorithms Matter
The strength of the hash algorithm used in signing a digital certificate is a critical element of the security of the certificate. Weaknesses in hash algorithms can lead to situations in which attackers can create or obtain fraudulent certificates. As new attacks are found and improvements in available technology make attacks more feasible, the use of older algorithms is discouraged and support for them is eventually removed.
SHA-1
SHA-1 based signatures are common; as of May 2015, they comprise roughly 45% of signatures used in digital certificates. However, SHA-1 is showing its age and its continued use is discouraged. When your certificates are replaced, ensure that a stronger signature algorithm (such as SHA-256) is used.
SHA-1 certificates will no longer be treated as secure by major browser manufacturers beginning in 2017.
MD5
Support for MD5 based signatures was removed in early 2012.
Learn More
- Mozilla Security Blog post on the deprecation of SHA-1