Devrim: GoG is using a weak cipher and key exchange combo
Starkrun: So that SHA256withRSA signature on Cert #1 the only one that matters for auth is more than good enough, and is the gold standard..
Yout tool thingy is seeing the 3rd cert in the chain from Baltimore CyberTrust ROOT its a SHA1withRSA this is a "trust store" cert and means diddly in the grand scheme.. but yes it looks bad, nothing to worry about..
1 Sent by server *.gog.com
Fingerprint SHA1: aa42bfea6967fa727349096eb8efad21fc577d82
Pin SHA256: tooPWKkkRO7h2Kcy9jtkTHzBoD0N7iJ03S1vVFqfkjw=
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server Verizon Akamai SureServer CA G14-SHA2
Fingerprint SHA1: 6ad2b04e2196e48bf685752890e811cd2ed60606
Pin SHA256: 8XFPrRr4VxmEIYKUu35QtR3oGbduX1AlrBzaBUHgp7c=
RSA 2048 bits (e 65537) / SHA256withRSA
3 In trust store Baltimore CyberTrust Root Self-signed
Fingerprint SHA1: d4de20d05e66fc53fe1a50882c78db2852cae474
Pin SHA256: Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o=
RSA 2048 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
Starkrun: they keep it because they wanna stay compatible with older stuff...
Fun fact while investigating this i found out gog.com cannot work on IE6/XP or APPLE ATS 9/iOS9
all in all gog.com is superduper safe IMO ^_^
If you want a quick and dirty test to suck out information hit up
SSL Labs web tool. It'll provide a grade on the site and reasons for demotion of grade level and also a recomendatio list to strengthen the site if needed. GOG.com scored an A- because they dont support Forward Secrecy with the reference browsers
Yeah using SHA1 should (in theory) help users on Win XP SP2 and older and Android 2.3(?) and older but for some reason disabling the weak ciphers makes Firefox not load the GoG site.
All other gaming platforms (Steam/Origin/Uplay/PSN/Xbox) seem to be working fine.
e: Chromium also complains about obsolete cipher and key exchange btw. I wouldn't be surprised if all major browser developer will block certs with SHA-1 signatures.