Why Chrome displays a "SHA1" message with a SHA2 certificate

Question

Why Chrome displays a "SHA1" message with a SHA2 certificate

I just reinstalled the SHA1 certificate and installed the new SHA2 certificate in its place. Everything is working fine. There is no insecure content. The Digicert diagnostic tool says that everything is in order, and "Signature Algorithm = SHA256 + RSA". However, Google Chrome says (pay attention to my emphasis):

The identity of this site has been verified by DigiCert SHA2 High CA Assurance Server, but has no public audit records.
Your connection to [www.domain.com] is encrypted using 128-bit encryption.
The connection uses TLS 1.0.
The connection is encrypted using AES_128_CBC, with SHA1 for authentication message and DHE_RSA as a key exchange mechanism.

Why does Google Chrome say the connection uses “SHA1 for message authentication”?

(Note: I cleared the cache and reloaded the page)

+4

google-chrome ssl encryption

Adam george 25 sept. '14 at 23:20

source share

1 answer

Maarten Bodewes · Accepted Answer · 2014-09-25T23:29:17+0000

Message authentication is used to authenticate data in transit. It is not used to protect certificates (using digital signatures).

Many encryption kits will continue to use HMAC using SHA-1, since SHA-1 (and even MD5) is quite secure in the HMAC scheme (due to the fact that the key is hashed both at the beginning and at the end of the data for protection) .

HMAC . HMAC () MD5 SHA-1.

Why Chrome displays a "SHA1" message with a SHA2 certificate

More articles: