I noticed that today after I scanned a site on the Qualys SSL Labs site that SSL

Question

I noticed that today after I scanned a site on the Qualys SSL Labs site that SSL ciphersuites which use SHA1 are now highlighted as being "Weak". It seems this has just happened; I scan sites pretty regularly and haven't seen this before.

We have all known for some time that SHA1 has some weaknesses. Does this change reflect some new problems with SHA1? Has something officially changed in the industry to now have SHA1-based ciphersuites considered "weak"? Or is this just something the Qualys site is choosing to do now?

Explanation / Answer

Nothing has changed in the industry. Qualys is now just highlighting what we already know.

It is to give you a reminder that you should move away from SHA-1. It's not generally considered a critical problem yet, but should be sorted as part of normal refresh/update cycles.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects