Research indicates that SHA-1 signed SSL/TLS certificates face increasing vulnerabilities forcing leading browsers to reconsider how long they will support this technology. Microsoft and Mozilla have announced that they are contemplating ending support for SHA-1 at an earlier date than originally planned.

In November 2013, Microsoft announced a policy to deprecate SHA-1. They requested that Certification Authorities (CAs) stop issuing SHA-1 signed certificates starting January 1, 2016. They also stated that Windows would not support SHA-1 certificates starting January 1, 2017. Other browsers and operating system vendors appeared to adopt the same policy. Google actually promoted the policy by changing Chrome to provide warnings in the status bar for SHA-1 signed certificates which expired after 2015.

The CAs have accepted the SHA-1 deprecation which resulted in the CA/Browser Forum also specifying that SHA-1 certificates shall not be issued starting January 1, 2016. The standard also deprecated SHA-1 certificate validity dates which expire after 2016.

In October 2015, a research group announced more issues with a SHA-1 collision attack. This confirmed the position that SHA-1 signing must be deprecated. As a result Microsoft announced that Windows may not support SHA-1 as soon as June 2016 and Mozilla announced that Firefox would not support SHA-1 as early as July 1, 2016. There has been both acceptance and pushback on these announcements.

Although not publicly announced, Microsoft has indicated that they are not going to pull in their dates. However, they will start “speed bumping” the browser experience sometime in June 2016. In other words, the IE browser user will experience warnings that the website is using a certificate with a weak hash. Microsoft’s current SHA-1 deprecation policy is found here.

We do not know if Mozilla will change their date or not. Hopefully, if there are no announcements that continuing to use a SHA-1 signed certificate is vulnerable, then their dates will not change as well. If there is no change, then certificate subscribers have through 2016 to keep moving to SHA-2.

While the leading browsers are reevaluating their plans on SHA-1 deprecation, every indication points to a condensed timeline, if they decide to make a change. In the meantime, certificate subscribers should plan on moving to SHA-2 in a more expedited timeframe than previously considered.

Updated December 23, 2015: Google has announced Chrome 48 will display certificate errors with SHA-1 signed certificates which have been issued after 2015. Starting January 1, 2017 at the latest, Chrome will completely stop supporting SHA-1 signed certificates. Google is considering moving this date up to July 1, 2016. If a SHA-1 certificate is still being used, please consider upgrading to SHA-2 in the first half of 2016.