Why you should disable SHA1 and how to secure web hosting servers

Why you should disable SHA1 and how to secure web hosting servers

SHA1 (Secure Hash Algorithm 1) is a popular cryptographic method used to secure eCommerce websites, backups, software updates, document signatures and more.

On 23 Feb 2017, Google announced that they were able to crack SHA1 by using a collision attack dubbed Shattered. This means any server that still uses SHA-1 are vulnerable to attacks.

See how we help web hosting companies

As an Outsourced Tech Support company, we help web hosting providers secure their servers and websites against such vulnerabilities. SHA1 was deprecated in 2015 (dubbed SHA1 sunset), and we replaced it with SHA-256 in all our customer servers by Dec 2016.

In the light of the new Google disclosure, we’re noting down a few common server hardening steps we performed on our customer servers.

1. Find and disable SHA1 certificates

Many of our customers (web hosts) provide SSL to their clients (web site owners). Since 2015, we’ve recommended issuing only SHA-256 certificates when SSLs were renewed.

However, there were websites that obtained certificates from other providers who didn’t insist on SHA-256. We knew these sites would be penalized by Google, and was potentially a hacker magnet.

To find vulnerable websites, we scanned all SSL enabled domains in each server with our proprietary Signature Algorithm check routine, like here:

disable sha-1 - find weak ssl

Once we built a list of weak SSLs, we recommended our customers (web hosts) to contact affected web masters, and offer them SHA-2 certificates. Our tech support team opened pro-active tickets to these webmasters and followed up until a secure SSL was installed.

[ Take care of your customers, before your competitors do. Get world-class support specialists to delight your customers. ]

2. Fix weak self-signed certs in mail, FTP & admin panels

Secure connections in SMTP, POP, IMAP, FTP and server administration panels (such as cPanel/WHM, Plesk, etc.) use self-signed certificates by default.

Unlike website certificates, these certificates do not show a prominent error in Mail or FTP clients, and could be ignored for a long time. Our tech support team found quite a few self-signed weak certs in self-managed VPS, dedicated and shared web hosting servers.

To prevent future occurrences of such SSL issues, we beefed up our 24/7 server monitoring with SSLLabs-SSLScan for in-depth scans.


Use Bobcares for your phone support services. Ensure 24/7 coverage for your customers!


1 Comment

  1. Question, we use and do the following HMAC=SHA1? Is this a problem?
    I have the following.

    I also have OpenSSL and the following.
    DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1

    Is the use of SHA1 for the MAC a problem or not?

    I’m beginning to think not given the way MAC and HMAC works.


Submit a Comment

Your email address will not be published. Required fields are marked *

BUSY WITH TECH SUPPORT ALL DAY? We help web hosts and other web solution providers save time and focus on growth.
Here's how we helped a web host reduce support engagement time from 3 hours to 30 mins per day: