Red X through https:// in Chrome: weak security configuration?

I’ve noticed since joining OGS that Chrome doesn’t like OGS’s security certificates… does anyone know if this is an issue?

“This site uses a weak security configuration (SHA-1 signatures), so your connection may not be private.”

Mine is a okay, it has a lock and everything.

Hmm okay. It seems to be fine on safari, maybe an issue with my Chrome then.

Google Chrome has started marking SHA-1 as insecure, because it is theoretically breakable by a nation state adversary. Unless you are using your OGS account as a front for espionage, SHA-1 is plenty strong. It would be better if OGS used SHA-256 cough cough, but it isn’t a serious concern.


Odd. I see the OGS certificate as SHA 256. The RSA is only 2048 bit though. It’ll be great to see 521 bit ECC sometime.

The CA is sha-1 our cert and the intermediate CA are sha-256.