1

SHA1 certificate shown as insecure or with mix content warning on Google Chrome 39

Created on Sep 08 2014, 10:03 AM by Robert Lin

As of late 2014, SHA1 certificates and it's SHA1 trust chain (not including the Root CA) will be considered insecure by Google Chrome.

A three step process will increase the severity of the warning:

  1. Initially SHA1 certificates that expire on/after 2017/1/1, and which contain SHA-1-based signatures in the validated chain, will be shown the "Secure, but minor errors" icon.  This is a lock with a yellow triangle alert icon
     
  2. Severity will increase thereafter, where:  
    SHA1 certificates that expire between 2016/6/1 and 2016/12/31, inclusively, and which contain SHA-1-based signatures in the validated chain, will be shown the "Secure, but minor errors" icon. This is a lock with a yellow triangle. alert icon

    SHA1 certificates that expire on/after 2017/1/1, and which contain SHA-1-based signatures in the validated chain, will be shown the "Neutral, no security" icon. This is the blank page icon, as shown by HTTP URLs. Blank page icon
     
  3. Finally Chrome will render websites with SHA1 certificates that expire on/after 2017/1/1 and which contain SHA-1-based signatures in the validated chain, with the "Affirmatively insecure, major errors" icon. The "Affirmatively insecure, major errors" icon is a lock with a red X. red https
     

To resolve this issue SHA2 certificates must be installed.

Google: Gradually sunsetting SHA-1

What about the Cross Root Chaining? For example:
Chain one : >>    (1) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca1(N/A)
or
Chain two : >>    (2) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca2(sha1)<- ca2-ca2(N/A)

or
Chain three: >>   (3) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca2(sha256) <- ca2-ca2(N/A)

As per Ryan from Google:

"On all of our platforms, it will prefer (1) if ca1 is trusted. It would only go to (2) if ca1 is not trusted.
On the platforms where this is the case, the peer supplying ca1-ca2(sha256) as part of the handshake ensures that (3) is preferred, if ca2 is trusted."

  • Products
  • Google Chrome
  • Public Key Infrastructure (PKI)
  • Symantec Enterprise Security
  • Thought Leadership
  • Symantec Website Security
  • SHA1
  • DigiCert Code Signing
  • DigiCert SSL TLS Certificates
  • Security Community Blog
  • SHA256
  • Google