Site hosting news, tutorials, tips, How Tos and more

Google Chrome, SSL certificates, SHA-1, SHA-2 and the “obsolete cryptography” message

howto

If you use an SSL certificate (https) on your site, you may have seen a couple of new things happening in Google Chrome.

When you upgrade the Google Chrome browser to version 41 or later, you may see various warning messages such as, “The identity of this website has not been verified,” “Your connection to <domain> is not encrypted,” or other visual indications that the https connection is not secure.

Those indications can appear when your SSL certificate uses a SHA-1 signature (most SSL certificates issued before 2015 use SHA-1).

SHA-1warn

To fix the problem of browser security warnings you must get your SSL certificate re-keyed for SHA-2. If you don’t see those warnings in Chrome and you purchased your certificate recently, it may already be SHA-2. You can verify using this test site.

 

If you purchased your SHA-1 SSL certificate from us, here’s how to re-key:

1) Contact us and we will re-generate and re-submit the CSR.

2) You’ll then get an email from GeoTrust with a link to complete the process. When completing the re-key on the GeoTrust site, be sure that SHA-2 is selected as the “Hashtag Algorithm.” You can find step-by-step instructions (and a video) here.

3) After you’ve completed the reissuing process, you’ll receive an email with the new certificate. Go to Control Panel and paste the new certificate into the SSL manager and you’re finished.

 

If you purchased your SHA-1 SSL certificate from another company:

1) Contact us and we will re-generate the CSR and email it to you. Then you’ll have to contact the issuer of your certificate to get your certificate re-keyed for SHA-2.

2) When you receive the re-keyed certificate, go to Control Panel and paste the new certificate into the SSL manager and you’re finished.

 

“Obsolete cryptography” message after re-keying with SHA-2

There is another potential problem after you’ve re-keyed your SSL certificate. While the address bar will show the green lock icon, if visitors dig deeper in Chrome, they may see an “Obsolete Cryptography” message.

sha-winhost

Basically what’s happening now is they are ignoring the cipher preference we use on the server (which includes their preferred ciphers) and pointing out any “weak ciphers” they find. You might notice that many large corporate sites (such as Apple) are also insecure according to Chrome, for similar reasons.

sha-apple

That “obsolete cryptography” message may be with us for a while because Google is not providing any information (yet) on exactly what they want from the server to stop calling it insecure. It would seem that what Google would like to see is every server everywhere removing support for all older cryptographic methods.

The problem with that is removing some of those methods will shut out visitors using some older browsers and operating systems that don’t support newer methods (i.e. Windows XP). Since our servers are shared by many customers, it isn’t really an option for us to make global changes that prevent some visitors – even a small number – from accessing our customer’s sites.

We are test configuring some special servers that will not support any of the older cryptography methods, but that’s much more complicated than it might seem on the surface, so it’s not something we can offer just yet.

And of course we continue to monitor information from Google on recommended server configuration, as well as continuing to test various configurations ourselves to prevent the “obsolete cryptography” message.

If you have any trouble re-keying a certificate, or if you have any questions about these ongoing changes, drop us a line and we’ll do our best to help.



Spring Updates

announcements

The latest versions of the following applications are now available through our App Installer tool:



Dear Winhost

insidewinhost

I was checking the Winhost mailbag this morning when I came across this letter:

“Dear Winhost,
Your new website is so pretty. Why on earth does your blog continue to be such a monstrous eyesore?
Sincerely,
Patricia Cardingiff Baxbauer”

Dear Patricia,

Actually, we couldn’t agree more. If you would be so kind, please allow us a moment to adjust…

Just a little bit more…and…almost…

There!

How’s this? Better?

Sincerely,
Your pals at Winhost



Take full control of your site backups right now

announcements

What if you could have instant access to backed up site files and databases, and the ability to set your own backup schedule?

If you have ever mistakenly deleted or overwritten an important website file, and suddenly realized that you’re without a backup, you know it’s not a good feeling.

If you’ve ever been unlucky enough to have your website hacked or compromised, you know it can be next to impossible to tell which files have been changed or added. If you didn’t have a “clean” backup, you probably had a tough (or expensive) time getting things right.

With our new SiteBackup service you never have to be caught unprepared again.

openvault

SiteBackup performs automated backups of your website files and retains up to 30 versions stored securely off-site. If you accidentally delete or overwrite a file, you can restore the backup instantly with one click. You can find more details about SiteBackup on the Winhost website.

SiteBackup is available in three sizes:

10 GB storage: $2.95 a month
30 GB storage: $6.95 a month
60 GB storage: $12.95 a month

SiteBackup is not an extension of our own internal daily backups. It’s a completely new system that performs backups on your schedule and stores them at a secure data center outside of the Winhost network. So your working sites, databases, email, etc. are in one data center, and your backups are in another. Geographic separation for maximum safety and security.

Want even more good news? When you order SiteBackup you can use it for as many websites as you’d like! Backup multiple websites under a single account.

SiteBackup is ready and available for you right now. And if we do say so ourselves, it’s pretty cool.

 



Holiday Updates

announcements

Here’s our latest round of App Installer updates:



Any day now…

insidewinhost

Winhost



Almost End of Summer Updates

announcements

Here’s our App Installer updates for August:



MS SQL 2014 available now

announcements
If you’ve been anxiously awaiting SQL Server 2014 you will be happy to know that you can add an MS SQL 2014 database to your site right now in the MS SQL Manager section of Control Panel.

We continue to offer and support SQL 2008, SQL 2008 R2 and SQL 2012 as well. And as always, there is no extra charge for MS SQL databases.

sql-server-2014



Just in Time for Summer!

announcements

We just released a new round of App Installer updates:

Please note that nopCommerce 3.3 requires the ASP.NET 4.5.1 Framework in order to run properly, and that is only available on our Windows 2012 R2/IIS8 servers.  If you’re having trouble getting it to work, please open up a support ticket to have your account moved to one of those servers.



Winners of a year of free hosting announced

announcements

You’ve been asking us for the ability to auto-renew domain names, and now you can!

When we sent out the email notice of the availability of the new option we also mentioned that everyone who switched to automatic domain renewal would be eligible to win a free year of hosting.

Well we’ve chosen two winners, and they are Rodrigo Sandoval from Santiago, Chile and Bruce Roeser from Florida. Congratulations, gentlemen, and thanks for using WinHost!

winners2