<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>
<div>Hallo,</div>
<div> </div>
<div>I performed that check and our certificates are affected from the start at DFN (and so will be probably</div>
<div>all certificates using the DFN AAI issued before a certain date).</div>
<div> </div>
<div>Sigh .... more work to do ....</div>
<div> </div>
<div>--Jörg</div>
<div>
<div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin:0 0 10px 0;"><b>Gesendet:</b> Donnerstag, 18. September 2014 um 10:27 Uhr<br/>
<b>Von:</b> "Oliver Schonefeld" <schonefeld@ids-mannheim.de><br/>
<b>An:</b> dev@lists.clarin.eu<br/>
<b>Cc:</b> CLARIN-D-Entwicklergruppe <clarind-devel@mailman.sfs.uni-tuebingen.de><br/>
<b>Betreff:</b> [Clarind-devel] HEADS UP: Google Chrome is "Gradually sunsetting SHA-1" SSL certificates</div>
<div name="quoted-content">Hi developers,<br/>
<br/>
Google will deploy changes in their certificate security evaluation<br/>
algorithms pretty soon, staring 2014-11 with Chrome 39.<br/>
<br/>
Depending on when the certificate will expire, Google chrome will mark<br/>
sites that use SHA-1 based signature signed SSL certificates as "secure,<br/>
but with minor errors” (a lock icon with a yellow warning sign). As of<br/>
Q1 2015, those sites may be marked as "affirmatively insecure" (crossed<br/>
out red lock icon).<br/>
<br/>
It is not sufficient to just renew the certificate of the server, but<br/>
the complete certificate chain up to the root must be "SHA-1 free". When<br/>
in doubt, you should check with your certification authority (CA).<br/>
<br/>
For details about Googles plans, see<br/>
<br/>
<a href="http://googleonlinesecurity.blogspot.de/2014/09/gradually-sunsetting-sha-1.html" target="_blank">http://googleonlinesecurity.blogspot.de/2014/09/gradually-sunsetting-sha-1.html</a><br/>
<br/>
Please note, Microsoft is also phasing out SHA-1 signed certificates,<br/>
but they are not as aggressive as Google is:<br/>
<br/>
<a href="http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx" target="_blank">http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx</a><br/>
<br/>
If you want to assess the overall quality of your SSL setup, SSLLabs has<br/>
a nice "SSL Server Test" online at<br/>
<a href="https://www.ssllabs.com/ssltest/" target="_blank">https://www.ssllabs.com/ssltest/</a><br/>
<br/>
Make sure to check the "Do not show the results on the boards", if you<br/>
don't want your server to appear the lists below!<br/>
<br/>
Best,<br/>
Oliver<br/>
--<br/>
Oliver Schonefeld<br/>
Institut für Deutsche Sprache, Zentrale Forschung<br/>
R5, 6-13, D-68161 Mannheim<br/>
+49-(0)621-1581-451 | <a href="http://www.ids-mannheim.de" target="_blank">http://www.ids-mannheim.de</a><br/>
_______________________________________________<br/>
Clarind-devel mailing list<br/>
Clarind-devel@mailman.sfs.uni-tuebingen.de<br/>
<a href="http://mailman.sfs.uni-tuebingen.de/cgi-bin/mailman/listinfo/clarind-devel" target="_blank">http://mailman.sfs.uni-tuebingen.de/cgi-bin/mailman/listinfo/clarind-devel</a></div>
</div>
</div>
</div></div></body></html>