Well, this is my first blog.
I will explain two concepts here.
- End of support for the SHA-1 algorithm used within online certificates (Most Fiori launchpad uses this certificate)
- New Security tab in chrome DevTools to find out everything about the certificate used and the connection type. In addition, it gives you the handy ability to drill down further to inspect all resources coming from that origin via the Network Panel
As technology evolves, it is critical to stay ahead of those who wish to defeat cryptographic technologies for their malicious benefit.
SHA-1 is a hash algorithm used to encrypt websites. While SHA-1 uses hashes which are 160 bits long, there are also other standards -- namely SHA-2, which implements a variety of hash sizes, and SHA-3, which is yet to become commercial or widely adopted as a standard.
From early 2016, Chrome will display a certificate error if websites are signed with an SHA-1-based signature, use an SHA-1 certificate issued after 1 January 2016 or are chained to a public CA.
How to know if your Fiori launchpad is secure ? Current solution for those of you who want data about page security is to
- Click onto the little lock icon next to the URL
- Then parse the info available on the “Connection” tab.
The newSecurity panel introduced in Chrome 48 makes it a lot easier to see any issues you have with certificates and mixed content. You can head to it directly in DevTools or by clicking on the URL bar’s lock icon. Screen shot below for refrence
The initiative to migrate from SHA-1 to SHA-256 (SHA-2) is the next proactive phase to better secure websites, intranet communications, and applications. Organizations need to develop a migration plan for any SHA-1 SSL and code signing certificates that expired after December 31, 2015.
Hope this blog gives insight into securing launchpad. Especially: Users accessing launchpad from mobile browser instead of using Fiori client.