The latest news in the SSL and web browser industries is Google’s plans to deprecate SHA-1 in a unique way on upcoming releases of Chrome starting with version 39. Considerably different from Microsoft’s plans that were announced in November 2013, Google plans on placing visual marks or placing a block within the browser; all based on the version of the browser, date of use and certificate’s expiration date.
Here is what you need to know first:
- SHA-1 is still safe to use but critics say its long-term ability to stand up to collision attacks is questionable.
- SHA-2 is the next hashing algorithm to be used. If your end-entity or intermediate certificates are SHA-1, it might be a good idea to exchange them now.
- This issue faces all Certification Authorities, not just Symantec.
- All SHA-1 end-entity certificates and SHA-2 end-entity certificates chaining up to a SHA-1 intermediate are affected. SHA-1 root certificates are not affected by either Microsoft’s or Google’s SHA-1 deprecation plan.
- Google is using three terms that you may want to familiarize yourself with:
- secure, but with minor errors,
- neutral, lacking security, and
- affirmatively insecure.
- Symantec offers free replacements for affected Symantec SSL certificates.
What we expect to see with future Chrome releases:
Chrome 39 (Beta release: 26 September 2014, tentative production release: November 2014):
- Any SHA-1 SSL certificate, on a page, that expires on or after 1 January 2017 will be treated as “secure, but with minor errors”. The lock within the address bar of the browser will have a yellow arrow over the lock as in this example provided by Google:
Chrome 40 (Beta release: 7 November 2014, tentative production release: post-holiday season):
- Pages secured with a SHA-1 certificate expiring between 1 June 2016 and 31 December 2016 inclusive will experience the same treatment as described above.
- Additionally, pages secured with a SHA-1 certificate expiring after 1 January 2017 will be treated as “neutral, lacking security”. The lock in the address bar will be replaced by a blank page icon as in this example provided by Google:
Chrome 41 (Q1-Q2 2015):
- Sites secured with a SHA-1 certificate with validity dates terminating between 1 January 2016 and 31 December 2016 inclusive will be treated as “Secure, but with minor errors.”
- Sites secured with a SHA-1 certificate expiring on or after 1 January 2017 will be treated as “affirmatively insecure”. The lock will have a red “X” over it with the letters “HTTPS” crossed out with a red font as in this example provided by Google.
Here is a matrix to help you understand the dates:
|
Sample Expiration Dates |
||||
Chrome Version (Beta dates) |
SHA-1 (Dec 31 2015) |
SHA-1 (Jan 1 – May 31 2016) |
SHA-1 (Jun 1 – Dec 31 2016) |
SHA-1 (Jan 1 2017 and beyond ) |
Recommended: SHA-2 |
Chrome 39 (Sept. 2014) |
|||||
Chrome 40 (Nov. 2014) |
|||||
Chrome 41 (Q1 2015) |
Moral of the story: Move to SHA-2, especially if your SSL certificate expires after December 2015.
What you need to do.
- Use our SSL Toolbox to see if your certificates are affected. SHA-1 SSL certificates expiring before 2016 are NOT affected and can be replaced with a SHA-2 certificate at renewal time if you wish.
- If your Symantec certificates are affected you can replace them at no additional charge for a SHA-2 certificate, or a SHA-1 certificate with a validity that does not go past 2015. Check with your vendor if they have a free replacement program like Symantec.
- Install your new certificates.
- Test your installation using the SSL Toolbox.
- Security Best Practice: Revoke any certificates that were replaced in step #2.
For more in-depth information, instructions, and assistance please refer to our knowledge center article on this subject. For a list of SHA-2 supported and unsupported applications review this list from the CA Security Council.
Read our SHA-2 webpage for the tools, steps to take, and a list of FAQs that can be generally applicable across all browsers.