SSL Certificate Encryption Compatibility

What is SHA-256 Compliance?

To understand what SHA-256 (Secure Hash Algorithm) Compliance is, you must first start with what SHA-256 is. If your website uses SSL Encryption to allow for secure connections from users over the internet, it requires a signature that verifies the identity of the website, much like how your signature is used to verify your own identity.

The level of security provided by your SSL certificate is limited by how difficult it is to decrypt and counterfeit the identity of your website. SHA-256 is a specific method of encryption that is commonly used from the SHA-2 family of cryptography. SHA-2 encryption defines six different methods of encryption, each one defined primarily by the number of bits used to encrypt: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256

SHA-2 or SHA-256 compliance can refer to 3 things:

  • Server/OS Compliance: A server or operating system that supports SHA-2
    Note: All HostGator servers are SHA-2 compliant and fully support SHA-256 connections required by providers such as PayPal.
  • Browser Compliance: The capability of the web browser to visit SHA-2 encrypted pages
  • SSL Encryption: Whether or not an SSL is encrypted with a SHA-2 signature.

Why Should I Care About SHA-256 Compliance or Encryption?

The first and most important reason is that previous encryptions are increasingly easier to break and counterfeit. This reason alone has generally not been significant enough to force the industry to shift to SHA-2 compliance. However, many browser makers and payment gateways are beginning to require SHA-256 compliance.

By December 2015 Google Chrome users will begin seeing increasingly severe warnings next to domains encrypted with only SHA-1 encryption (The most recent level of encryption prior to SHA-2):

Chrome SSL Browser Warnings

In addition to the initiatives taken by Google, PayPal will be updating their certificates and requiring users of their services, such as Instant Payment Notification, to connect to their servers from SHA-256 compliant servers.

This is a trend that will continue as more services upgrade their security to provide reliable and safe experiences on the internet. It's advised to ensure that if you're serving encrypted content that you are using up to date encryption methods.

Is My Website SHA-2 Compliant?

To serve SHA-256 secured content your website must be hosted on a SHA-2 compatible server and secured by a certificate with a SHA-256 / RSA signature.

Server Compliance:

Symnatec has published a list of operating systems, web servers, and browsers that are compatible, as well as a list of known web servers that are NOT SHA-2 compatible. All HostGator servers are SHA-2 compliant. The complete compatibility list is available here:

SSL Certificate Encryption:

The level of your encryption is determined by the certificate issuer. HostGator currently provides SSLs from COMODO that use SHA-256 signatures. You may check the signature of your SSL by visiting the following URL and entering your SSL encrypted domain:

https://sslanalyzer.comodoca.com/

Enter your domain and click Analyze. The new page will list details of your SSL certificate. Locate the Signature line, if this line lists SHA-256 / RSA, then your SSL is encrypted with SHA-256. If it is not, you will need to contact your SSL issuer to have your certificate re-issued. If you are using a third party SSL, you will need to then request to have the re-issued certificate installed for you.

If you purchased your SSL through HostGator and do not have a SHA-256 signature, please contact us via phone or Live Chat to request to have your certificate re-issued.