Updating SSL certificate to SHA2

Hi all,

After first checking the Qualys SSL Labs test I was astonished to see how unsecure our site is and it has caused me to panic a little more than usual recently...

Part of this meant that I read about the update of SHA256 certificates coming into place, and it seemed that I should contact Trustwave (who issue our SSL certificate) to update from SHA1 to SHA2/SHA256... Please bare with me as I do not understand the technicalities of all this or anything much about web design and development.. But Trustwave were rather nice about sorting it out, however, I purchased the certificate through our hosts, and they stated that there is no need for us to update our certificate, with the low score we received on the test I want to ensure that our site is up to scratch and that we are doing what we can to ensure protection for the data and customers who shop with us.

Any assistance on this would be greatly appreciated, if you could advise if I should be going ahead with the update now that would be great,

Thanks for your time,

Luke

Luke, the SHA1 sunset doesn't come into effect until 2015/2016, and even then if your cert expires before that, you shouldn't see warnings in browsers. The sunset warnings apply to long-term registered certs (3+ years), before which SHA256 will be the default (exp 2017). This may be why your host said "its not needed".

But you purchased a cert, it was upgraded, you want it installed RSA256 mode right? Does the SSLlabs test show the new SHA256 cert in place? Make sure when you re-run the scan you click the little "clear cache" button under the header for report page. This will force a re-scan.

If SSLlabs isnt showing SHA256, no matter if your hosts says its "needed" or not, they need to re-install it for you. You pay them money, they do their job, everyone is happy. Get them to make SHA256 show in Qualys test, thats their job.

As far as other things that fail a test, there are a variety. Except for cleanup + HSTS, most of these are host-side fixes:

• Clean up all insecure sources from images, scripts, etc to make a clean green lock option everywhere
• Use HSTS policy with 180+ days cache - http://en.wikipedia.org/wiki/HTTP_Stric ... t_Security
• Disable SSL2/SSL3 and use only TLS1.0, 1.1, AND 1.2 (need 1.1 min for PayPal) (fixes POODLE) https://ppmts.custhelp.com/app/answers/ ... k4bQ%3D%3D
• Support TLS_FALLBACK_SCSV - https://tools.ietf.org/html/draft-ietf- ... de-scsv-00
• Disable insecure Ciphers and use only PCI 3.0+ or Moz intermediate/strict recommended
  • PCI 3.0: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH
  • Moz: https://wiki.mozilla.org/Security/Serve ... default.29
• Turn on Forward Secrecy [ROBUST] - http://en.wikipedia.org/wiki/Forward_secrecy
• Obviously, fix any HEARTBLEED, BEAST, CRIME, or other known vulnerabilities by upgrading or backporting server software.
• There are special checks if you use HTTP2.0 on SPDY - if your host uses this its faster, but they need to keep it stable to make it pass SSLlabs.

If you need help with OpenCart compliance things like forced 301, HSTS policy, and broken lock cleanup, we made a mod here: http://www.opencart.com/index.php?route ... n_id=19396

Hope that helps man. Most of these are at host level, show them the scan results and these suggestions if you like. If you want a bonus, try to get them to pass Qualys PCI compliance test...its like interrogating your server tied up under a hot light for 7 or so hours