Google follows Microsoft, Firefox in blocking SHA-1 certificates

Google has announced it will not treat SHA-1 certificates anymore starting in early 2016 in a plan to completely stop supporting them over the next year.

In line with Microsoft and Firefox, Google’s Chrome version 48 will start displaying a certificate error when encountering websites with leaf certificates signed with SHA-1 issued after January 1 2016 or chains to a public Certificate Authority (CA).

“Starting January 1, 2017 at the latest, Chrome will completely stop supporting SHA-1 certificates,” reads the Google blog post. “At this point, sites that have a SHA-1-based signature as part of the certificate chain (not including the self-signature on the root certificate) will trigger a fatal network error. This includes certificate chains that end in a local trust anchor as well as those that end at a public CA.”

Although around 98 percent of certificates issued worldwide are SHA-1 signed, the SHA1 Deprecation Policy warns against SHA-1 collusion attacks that could lead to man-in-the-middle attacks. Microsoft, Google, and Firefox have announced that they will gradually begin warning users and blocking websites that use SHA-1 signed certificates from 2016.

“For security and interoperability in the face of upcoming browser changes, site operators should ensure that their servers use SHA-2 certificates, support non-RC4 cipher suites, and follow TLS best practices,” according to the same blog post. “In particular, we recommend that most sites support TLS 1.2 and prioritize the ECDHE_RSA_WITH_AES_128_GCM cipher suite.”

Everyone currently relying on SHA-1 is strongly encouraged to make the transition to SHA-2 in 2016 and replace all their deprecated SHA-1 certificates, or their services will be affected.

Leave a Reply