SHA-256 signed certificates are the new standard of TLS and the encrypted web. Starting in 2016, certificate authorities (CAs) will no longer be issuing SHA-1 certificates, making encrypting the web for older browsers difficult, if not impossible.
Browser vendors will phase out support for SHA-1 certificates in 2016, which means that, eventually, users with older browsers or operating systems won’t be able to access the encrypted web.
SHA-2 is supported by around 98% of browsers. This is good news, but that missing 2% represents over 37 million Internet users worldwide. Dropping support for SHA-1 means 37 million people won’t be able to access SSL/TLS-encrypted websites, especially those in certain emerging markets.
Cloudflare’s certificate optimization logic examines the browser’s capabilities, and then serves the most modern certificate it can support.
Cloudflare Business or Enterprise customers who would like to upload their own unique certificates for browser optimization can do so by contacting support..
SSL/TLS certificates are used to establish HTTPS sessions between browsers and servers. These certificates are distributed to browsers within in a standardized data structure — called X509 — that contains information such as the hostname(s) the certificate is valid for and when it expires. It also contains the name of the browser-trusted certificate authority (CA) — Comodo, DigiCert, GlobalSign, etc. — that signed the certificate and verified its contents.
When a browser receives this X509 structure, it extracts the certificate, hashes it (more on this in a second), and uses the issuer’s public key to verify the signature. If the signature matches, it continues on up the chain of trust, all the way to the CA’s root certificate, which it trusts implicitly.
Before the browser can verify the signature of an X509 structure using the issuer’s public key, it must first hash its contents. For most of the web’s HTTPS history, an algorithm called the Secure Hash Algorithm (SHA) was used to do this. Version 1 of this algorithm, released in 1995, was found by cryptographers in 2005 to be at risk for an attack known as a “collision”.
The cost of creating such a collision has been prohibitive since then, but it’s expected to be within reach of a determined (and deep-pocketed) foe by the next decade. As a result, many browsers are abandoning support for SHA-1 in lieu of the newer hashing standard, SHA-256.
SHA-256, commonly referred to as SHA-2, was adopted by browsers in recent years because it is exponentially more resistant to collisions. Unfortunately, older browsers were not built with SHA-2 support, and many are run on operating systems that are too old to upgrade. Cloudflare’s Certificate Optimization gives those lacking updatable hardware access to the encrypted web.
Set up a domain in less than 5 minutes. Keep your hosting provider. No code changes required.
Everyone’s Internet application can benefit from using Cloudflare.
Pick a plan that fits your needs.