SSL Weak Signature Algorithm

What This Check Does

The SSL Weak Signature Algorithm check examines the signature algorithm used to sign your SSL/TLS certificate. DNS Spy flags certificates signed with deprecated or weak algorithms, most commonly SHA-1 (sha1WithRSAEncryption). Modern certificates should use SHA-256 or stronger (SHA-384, SHA-512) as their signature hash algorithm.

Why It Matters

SHA-1 was formally deprecated for SSL/TLS certificates by the CA/Browser Forum in 2016 following demonstrated collision attacks. A collision attack against SHA-1 means an attacker can forge a certificate that appears valid — a direct threat to the integrity of HTTPS. Google's Chrome removed trust in SHA-1 certificates starting in 2017, and other browsers followed.

Despite this, SHA-1 certificates occasionally persist on legacy servers, internal systems, or on domains where the certificate was not properly replaced after the deprecation deadline. Any SHA-1 certificate still in use represents both a security risk and a compliance violation under PCI DSS and NIST SP 800-52.

Good vs. Bad Configuration

Bad Configuration

The certificate for example.com uses sha1WithRSAEncryption as its signature algorithm. This algorithm is deprecated and modern browsers may reject or distrust the certificate.

Good Configuration

The certificate for example.com uses sha256WithRSAEncryption or ecdsa-with-SHA256. These are current, secure signature algorithms accepted by all modern browsers and TLS clients.

How DNS Spy Monitors This

DNS Spy inspects the signature algorithm field of your SSL certificate during each monitoring cycle. If a weak algorithm like SHA-1 or MD5 is detected, an alert is raised. To resolve this check, replace the certificate with one signed using a modern algorithm such as SHA-256. DNS Spy will detect the updated certificate and automatically resolve the alert.