Following their SHA–1 deprecation plans announced last year, Google, Microsoft, and Mozilla detailed recently their timelines to remove support for SHA–1 certificates from their flagship browsers.
Chrome 56, which will be released to the stable channel at the end of January 2017, will stop trusting all SHA–1 certificates originating at a public CA and will produce a warning. Chrome will still provide SHA–1 support for private PKI, such as those used within an enterprise, when using the EnableSha1ForLocalAnchors
policy, which relies on the underlying OS providing support for SHA–1.
Firefox will stop trusting SHA–1 signed certificates with Firefox 51, currently in developer edition and scheduled for release in January 2017. At the beginning of November 2016, Mozilla started to beta test SHA–1 deprecation on a subset of beta users to evaluate its impact on real-world usage. Firefox will work by default with manually installed certificates.
Microsoft Edge and Internet Explorer 11 will stop loading websites that use SHA–1 certificates starting on February 14, 2017. Users will be given the option to ignore the invalid certificate warning and visit the website all the same. Again, manually installed or self-signed SHA–1 certificates will not be affected.
Safari
Apple, maker of Safari, also started to phase out SHA–1 and other algorithms deemed insecure, such as 3DES. This can be seen in macOS latest version, Sierra, which already hides the green padlock for websites presenting SHA–1 signed certificates. Sierra release notes also recommend to stop using SHA–1 as soon as possible, but did not provide further details.
Although the countdown to SHA–1 support removal has already begun, researchers with security firm Venafi found that 35% out of 11 million public visible websites are still using SHA–1 certificates.
The results of our analysis clearly show that while the most popular websites have done a good job of migrating away from SHA–1 certificates, a significant portion of the Internet continues to rely on SHA–1 certificates. According to Netcraft’s September 2016 Web Server Survey, there are over 173 million active websites. Extrapolating from our results, as many as 61 million websites may be using such certificates.
The SHA–1 cryptographic algorithms was found vulnerable over eleven years ago and has been recently shown less secure than previously thought, mostly due to recent advances in GPUs that make collision attacks a concrete possibility in the near future.
The decision to gradually sunset SHA–1 support was initially announced by Google at the end of 2014 and quickly joined by Mozilla and later Microsoft. Their aggressive roadmap to retire SHA–1 was postponed at mid–2015, due to concerns that many older devices, not supporting newer algorithms, would have been cut off from access to most of the Web.
All website operators can easily check whether their sites are using a SHA–1 based certificate.