SHA-256 signed certificates are the new standard of TLS and the
encrypted web. Starting in 2016, certificate authorities (CAs) will
no longer be issuing SHA-1 certificates, making encrypting the web
for older browsers difficult, if not impossible.
Browser vendors will phase out support for SHA-1 certificates in
2016, which means that, eventually, users with older browsers or
operating systems won’t be able to access the encrypted web.
SHA-2 is supported by around 98% of browsers. This is good news,
but that missing 2% represents over 37 million Internet users
worldwide. Dropping support for SHA-1 means 37 million people won’t
be able to access SSL/TLS-encrypted websites, especially those in
certain emerging markets.
Cloudflare’s certificate optimization logic examines the
browser’s capabilities, and then serves the most modern
certificate it can support.
Cloudflare Business or Enterprise customers who would like to upload
their own unique certificates for browser optimization can do so by
SSL/TLS certificates are used to establish HTTPS sessions
between browsers and servers. These certificates are distributed
to browsers within in a standardized data structure — called X509 —
that contains information such as the hostname(s) the certificate
is valid for and when it expires. It also contains the name of the
browser-trusted certificate authority (CA) — Comodo, DigiCert,
GlobalSign, etc. — that signed the certificate and verified its
When a browser receives this X509 structure, it extracts the
certificate, hashes it (more on this in a second), and uses the
issuer’s public key to verify the signature. If the signature
matches, it continues on up the chain of trust, all the way to the
CA’s root certificate, which it trusts implicitly.
Before the browser can verify the signature of an X509
structure using the issuer’s public key, it must first hash its
contents. For most of the web’s HTTPS history, an algorithm called
the Secure Hash Algorithm (SHA) was used to do this. Version 1 of
this algorithm, released in 1995, was found by cryptographers in
2005 to be at risk for an attack known as a “collision”.
The cost of creating such a collision has been prohibitive
since then, but it’s expected to be within reach of a determined
(and deep-pocketed) foe by the next decade. As a result, many
browsers are abandoning support for SHA-1 in lieu of the newer
hashing standard, SHA-256.
SHA-256, commonly referred to as SHA-2, was adopted by
browsers in recent years because it is exponentially more
resistant to collisions. Unfortunately, older browsers were not
built with SHA-2 support, and many are run on operating systems
that are too old to upgrade. Cloudflare’s Certificate Optimization
gives those lacking updatable hardware access to the encrypted
Set up a domain in less than 5 minutes. Keep your hosting provider.
No code changes required.
Everyone’s Internet application can benefit from using Cloudflare.
Pick a plan that fits your needs.
for personal websites and blogs
Our mission is to build a better Internet. We believe every website should have free access to foundational security and performance. Cloudflare's Free plan has no limit on the amount of bandwidth your visitors use or websites you add.
If you want to make your site even faster and more resilient, you can easily upgrade to one of our higher tier plans.