BT

New Early adopter or innovator? InfoQ has been working on some new features for you. Learn more

Chrome Sets SHA-1 Expiration Date

| by Jeff Martin Follow 5 Followers on Sep 10, 2014. Estimated reading time: 2 minutes |

Cryptographic hash algorithms can find themselves becoming outdated over time due to the increased computing power available for brute force attacks and through weaknesses in their algorithm or implementation.  As Google observes, the SHA-1 algorithm has had known weaknesses for at least 9 years, as Bruce Schneier described in a blog post.

Given the increasing ease by which attacks these attacks can take place, various intuitions have already recommended against using SHA-1, including the US National Institute of Standards and Technology.  Google’s Chrome web browser will now join these organizations by changing how it displays sites that use HTTPS certificates with SHA-1 signatures. 

To avoid disrupting users that rely on the SHA-1 support to be present, Chrome will phase in the changes using a staged approach that first alerts users to the SHA-1’s forthcoming expiration and culminates with a red “X” icon in the URL address bar.  While users can still navigate to sites using SHA-1, Chrome will visually indicate that they are less safe than sites that have changed from SHA-1 to something more secure.

Google has outlined the following schedule based on Chrome’s branch points:

  • Chrome 39 (Branch point 26 September 2014):  Sites with end-entity (“leaf”) certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as “secure, but with minor errors”.
  • Chrome 40 (Branch point 7 November 2014; Stable after holiday season):  Sites with end-entity certificates that expire between 1 June 2016 to 31 December 2016 (inclusive), and which include a SHA-1-based signature as part of the certificate chain, will be treated as “secure, but with minor errors”.  Sites with end-entity certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as “neutral, lacking security”.
  • Chrome 41 (Branch point in Q1 2015):  Sites with end-entity certificates that expire between 1 January 2016 and 31 December 2016 (inclusive), and which include a SHA-1-based signature as part of the certificate chain, will be treated as “secure, but with minor errors”.  Sites with end-entity certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as “affirmatively insecure”. Subresources from such domain will be treated as “active mixed content”.

Note that the actual release dates of the Chrome browsers listed above will tend to follow the branch point date by 6-8 weeks.  So Chrome 39 should be expected for release in November, Chrome 40 in January 2015, and Chrome 41 in Q1 2015.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT