On October 8, 2015, a team of international cryptography researchers warned of a significantly increased risk in using SHA-1 certificates, and recommended that administrators accelerate their migration to SHA-2 certificates.
The risk is that, with enough computing power, an attacker can craft a fake certificate that in all key respects appears to be signed by a public Certification Authority (it cryptographically chains up to a Certification Authority’s root certificate). This doesn’t mean that websites is suddenly insecure, but it certainly is a wake-up call.
The current policy of most browsers stipulates that they will completely reject SHA-1 TLS certificates on January 1, 2017. However, in light of these new findings, it’s highly possible the deadline will be accelerated. If your customers are still using SHA-1 certificates, you should accelerate their plans to replace them with SHA-2 certificates to avoid security warnings and to ensure visitors to their site are not blocked.
Action Required: We urge you to revoke and replace SHA-1 certificates on behalf of your customers with SHA-2 certificates as soon as possible based on news from recent research. Partners with impacted certificates were provided details in a previous communication.
Here are the resources to help you understand the issue and to reissue their certificate, quickly and easily:
For Symantec certificates click on this link – INFO2848
For GeoTrust certificates click on this link –INFO2851
For Thawte certificates click on this link –INFO2849
Symantec Website Security Solutions