Google announced on September 5, 2014, that Chrome will sunset SHA-1 by providing security warnings through the popular browser.
SHA-1 is a secure hash algorithm used when signing SSL certificates. SHA-1 provides a unique 160-bit hash value representing the certificate. The hash value is designed so it cannot be the same for two different certificates. Unfortunately, over time, the hashing algorithm becomes weaker due to the increase in computing power.
SHA-1 has been determined to be weak to collision attacks. As such, Microsoft presented a SHA-1 Deprecation Policy in November 2013, which gave three years’ notice to sunset SHA-1:
- Certification authorities (CAs) must stop issuing new SHA-1 SSL end-entity certificates by January 1, 2016
- Windows will stop accepting SHA-1 end-entity certificates by January 1, 2017
With the September policy announcement, Google has given two to six months’ notice to sunset SHA-1. Google will provide security warnings through Chrome releases 39, 40, and 41, which will be available through the fall of 2014 to early 2015. For SHA-1 certificates expiring in 2017, the warnings in the status bar will progress to indicate “secure with minor errors” to “affirmatively insecure.”
Note: This diagram is for planning purposes only. Google has yet to officially announce upcoming Chrome release dates. All timelines are approximations based on past releases and should not be considered final.
The “affirmatively insecure” warning will indicate to a Chrome user that there is a security issue with the site’s certificate. The outcome may upset users and generate support calls.
To mitigate this risk, Entrust recommends the following:
- Review your SHA-1-signed SSL certificates.
- Determine whether your server supports SHA-2. The CA Security Council has provided a list of devices that do or do not support SHA-2. If your server does not support SHA-2, please consider upgrading.
- Determine whether these certificates have users who use Chrome or Windows. Please note that some SSL certificates are used for server-to-server communication where no browser is used.
- For SHA-1-signed SSL certificates that expire after 2015 with Chrome or Windows users, please reissue the certificate using SHA-2.
- For all other SHA-1-signing SSL certificates please generate a plan to reissue as SHA-2 when renewed.
If you use SSL certificates and need more information, please contact Entrust or your CA. If you would like to provide feedback to Google, please join the intent to deprecate online discussion.
Updated September 10, 2014: Ivan Ristić provides support on SHA-1 deprecation.
Updated September 24, 2014: Mozilla states its SHA-1 position.
Updated January 26, 2015: Google Chrome 40 was released on January 23, 2015. We expect Chrome 41 to be released approximately 6 weeks later, so about March 6, 2015. Please visit our website for more information on migration from SHA-1 to SHA-2.