We are happy to announce that our update of ArcGIS Online transport encryption certificates to a stronger hashing algorithm will be complete December 2nd, 2015. Specifically, we are transitioning from SHA-1 to SHA-256 certificates (also referred to as SHA-2).
The update of certificates is not just a change for Esri’s web services, but is a change occurring across all Internet services over the next year or so – Microsoft, Google, Mozilla, and Apple have documented their SHA-1 deprecation plans and browsers will soon be warning users about the risks of continuing to utilize SHA-1. Developers utilizing iOS9 now are already starting to see warnings about SHA-1 certificates. By Esri completing an update of our certificates, security is improved and customers will not run into these warnings.
All modern-day browsers support SHA-2, but some older systems/browsers do not support SHA-2 certificates. For example, ArcPad users utilizing Windows Mobile 6.5 or earlier could run into issues connecting to secured ArcGIS Online after the upgrade to SHA-2 certificates. We strongly recommend transitioning to a mobile version/solution that is fully supported by the vendor to ensure the most robust security for your connectivity. ArcPad 10.2.3 and later have been updated to ease the urgency of transitioning to a current platform.
What about root certificates?
There are plenty of certificate permutations to leave you potentially scratching your head as some of our content device network (CDN) providers will be keeping their root certificates SHA-1. The good news is that utilizing SHA-1 root certificates presents no more risk than utilizing SHA-2 root certificates and should not be flagged as a risk by various browsers. The reason for this is because unlike other certificates, the trust of the roots is not determined by validating the signature.
- The Security Standards & Architecture Team
- SHA-2 Compatibility Details – https://support.globalsign.com/customer/portal/articles/1499561-sha-256-compatibility
- SHA-1 Root Certificate Details – https://www.entrust.com/need-sha-2-signed-root-certificates/
- SHA-1 Deprecation Plans – https://support.globalsign.com/customer/portal/articles/1447169
- Test Your Browser for SHA-2 Support – https://ssltest39.ssl.symclab.com/
- ArcPad Details - https://geonet.esri.com/community/gis/applications/arcpad/blog/2015/12/02/arcgis-online-security-update-sha-2-and-how-it-affects-arcpad-users
- Having Issues After Testing? – http://support.esri.com