Google Plans to Deprecate SHA-1 Certificates

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Google recently announced that certain SSL Certificates with a lifecycle beyond the 1st of January 2016 are going to be treated as progressively less trustworthy by future versions of Chrome. The SSL Certificates in question are those signed using the slightly dated SHA-1 hashing algorithm. The same is going to apply to SSL Certificates which have been signed using SHA-256, but contain SHA-1 Intermediates within their chain of certificates (Chromium Blog Post, 5th of September 2014).

It is important to note that:

  • SHA-1 is currently still secure, but assumed to be unable to resist attacks in the future
  • SHA-2 is going to be the new standard for cryptographic hashing algorithms
  • All SSL Certificates from all certificate-issuing authorities are affected
  • All certificates, whether they are signed using SHA-1 or contain intermediate certificates signed by SHA-1, are going to be affected
  • Unaffected are root certificates which use SHA-1
  • CertCenter will reissue the certificates in question, free of charge
  • On your list of certificates, we will indicate to you via a link which certificates may require a reissue

Schedule for upcoming Google Chrome Versions

Chrome 39 (Beta-Release on the 26th of September 2014)

Certificates with an expiration date between the December 1st 2016 and 1st of January 2016, which were signed using SHA-1 or holds an SHA-1 intermediate certificate, will be classified as “secure, but with minor errors”. This status will be displayed visually, using a small yellow triangle as a warning.

Chrome 40 (Beta-Release on the 7th of November 2014)

Certificates with an expiration date between the 1st of June 2016 and 31st of December 2016 (inclusive), which were signed using SHA-1 or holds an SHA-1 intermediate certificate, will be classified as “secure, but with minor errors”. This status will be displayed visually using a small yellow triangle as a warning. Certificates expiring on or after the 1st of January 2017, or contain an intermediate certificate which was signed using SHA-1, will be treated as “neutral, lacking security”. This status will be displayed using a blank page icon.

Chrome 41 (Beta-Release planned for Q1 2015)

Certificates with an expiration date between the 1st of January 2016 and 31st of December 2016 (inclusive), which were signed using SHA-1 or holds an SHA-1 intermediate certificate, will be classified as “secure, but with minor errors”. This status is going to be displayed visually using a small yellow triangle as a warning. Certificates expiring on or after the 1st of January 2017, which were signed using SHA-1 or contain an SHA-1 intermediate certificate, will be classified as “affirmatively insecure”.  This status will be displayed visually using a lock with a red X, and a red strike-through text treatment in the URL scheme. Connectivity issues will arise, i.e; content may not load and display properly.

Overview

Facebooktwittergoogle_plusredditpinterestlinkedinmail

am