BT

New Early adopter or innovator? InfoQ has been working on some new features for you. Learn more

Google, Microsoft, and Mozilla Urge Site Operators to Replace SHA–1 Certificates

| by Sergio De Simone Follow 4 Followers on Nov 20, 2016. Estimated reading time: 2 minutes |

Following their SHA–1 deprecation plans announced last year, Google, Microsoft, and Mozilla detailed recently their timelines to remove support for SHA–1 certificates from their flagship browsers.

Chrome

Chrome 56, which will be released to the stable channel at the end of January 2017, will stop trusting all SHA–1 certificates originating at a public CA and will produce a warning. Chrome will still provide SHA–1 support for private PKI, such as those used within an enterprise, when using the EnableSha1ForLocalAnchors policy, which relies on the underlying OS providing support for SHA–1.

Firefox

Firefox will stop trusting SHA–1 signed certificates with Firefox 51, currently in developer edition and scheduled for release in January 2017. At the beginning of November 2016, Mozilla started to beta test SHA–1 deprecation on a subset of beta users to evaluate its impact on real-world usage. Firefox will work by default with manually installed certificates.

Edge

Microsoft Edge and Internet Explorer 11 will stop loading websites that use SHA–1 certificates starting on February 14, 2017. Users will be given the option to ignore the invalid certificate warning and visit the website all the same. Again, manually installed or self-signed SHA–1 certificates will not be affected.

Safari

Apple, maker of Safari, also started to phase out SHA–1 and other algorithms deemed insecure, such as 3DES. This can be seen in macOS latest version, Sierra, which already hides the green padlock for websites presenting SHA–1 signed certificates. Sierra release notes also recommend to stop using SHA–1 as soon as possible, but did not provide further details.

Although the countdown to SHA–1 support removal has already begun, researchers with security firm Venafi found that 35% out of 11 million public visible websites are still using SHA–1 certificates.

The results of our analysis clearly show that while the most popular websites have done a good job of migrating away from SHA–1 certificates, a significant portion of the Internet continues to rely on SHA–1 certificates. According to Netcraft’s September 2016 Web Server Survey, there are over 173 million active websites. Extrapolating from our results, as many as 61 million websites may be using such certificates.

The SHA–1 cryptographic algorithms was found vulnerable over eleven years ago and has been recently shown less secure than previously thought, mostly due to recent advances in GPUs that make collision attacks a concrete possibility in the near future.

The decision to gradually sunset SHA–1 support was initially announced by Google at the end of 2014 and quickly joined by Mozilla and later Microsoft. Their aggressive roadmap to retire SHA–1 was postponed at mid–2015, due to concerns that many older devices, not supporting newer algorithms, would have been cut off from access to most of the Web.

All website operators can easily check whether their sites are using a SHA–1 based certificate.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Google Chrome outs Google's Web Servers for using SHA-1 Signatures by Doug Bateman

Google Chrome is reporting certificate errors for google.com/ because Google's own servers are still using SHA-1 signatures! How has this not gone viral yet? Google is reporting itself for security holes. LOL!

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

1 Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT