AnsweredAssumed Answered

Security Certificate SHA-256

Question asked by Rob Gibson on Apr 20, 2015
Latest reply on Apr 25, 2015 by Rob Gibson

We’re starting to see a certificate warning when users access Canvas using Chrome on a PC. (I’m not able to replicate this on a Mac.) It has come in twice in recent days. Researching this message I found: https://thomas.vanhoutte.be/miniblog/this-site-is-using-outdated-security-settings-that-may-prevent-future-versions-of-chrome-from-being-able-to-safely-access-it/

 

Our IT Security guy indicated:

 

"I am not sure what the parameters for Canvas’ SSL are, but I can say that some applications (web servers included) have not updated their abilities to accept newer encryption methods such as SHA-256 (current standard). In those cases, many Certificate Authorities still allow you to issue a certificate using SHA-1 or SHA-128 so that the issued certificate will be compatible with those applications/web servers. That being said, Google is attempting to push SHA-1 out of the picture by making it more noticeable to end-users, thereby initiating the kinds of conversations that we are now having. We can get a certificate that uses SHA-256 for Canvas, however, Instructure’s hosted service would need to support such a certificate. Again, I am not sure whether that is the reason the SHA-1 certificate was originally used."

 

My question is: Is anyone else seeing this in Chrome this past couple of weeks? And, will Instructure support SHA-256 certificates?

Outcomes