1

Google’s SHA-1 Deprecation Plan for Chrome

Created on Sep 16 2014, 4:14 PM by Brook Chelmo

The latest news in the SSL and web browser industries is Google’s plans to deprecate SHA-1 in a unique way on upcoming releases of Chrome starting with version 39. Considerably different from Microsoft’s plans that were announced in November 2013, Google plans on placing visual marks or placing a block within the browser; all based on the version of the browser, date of use and certificate’s expiration date.

Here is what you need to know first:

  1. SHA-1 is still safe to use but critics say its long-term ability to stand up to collision attacks is questionable.
  2. SHA-2 is the next hashing algorithm to be used.  If your end-entity or intermediate certificates are SHA-1, it might be a good idea to exchange them now.
  3. This issue faces all Certification Authorities, not just Symantec.
  4. All SHA-1 end-entity certificates and SHA-2 end-entity certificates chaining up to a SHA-1 intermediate are affected. SHA-1 root certificates are not affected by either Microsoft’s or Google’s SHA-1 deprecation plan.
  5. Google is using three terms that you may want to familiarize yourself with:
    1. secure, but with minor errors,
    2. neutral, lacking security, and
    3. affirmatively insecure.
  6. Symantec offers free replacements for affected Symantec SSL certificates.

What we expect to see with future Chrome releases:

Chrome 39 (Beta release: 26 September 2014, tentative production release: November 2014):

  1. Any SHA-1 SSL certificate, on a page, that expires on or after 1 January 2017 will be treated as “secure, but with minor errors”.  The lock within the address bar of the browser will have a yellow arrow over the lock as in this example provided by Google:

google-blog-1.png

Chrome 40 (Beta release: 7 November 2014, tentative production release: post-holiday season):

  1. Pages secured with a SHA-1 certificate expiring between 1 June 2016 and 31 December 2016 inclusive will experience the same treatment as described above.
  2. Additionally, pages secured with a SHA-1 certificate expiring after 1 January 2017 will be treated as “neutral, lacking security”.  The lock in the address bar will be replaced by a blank page icon as in this example provided by Google:

google-blog-2.png

Chrome 41 (Q1-Q2 2015):

  1. Sites secured with a SHA-1 certificate with validity dates terminating between 1 January 2016 and 31 December 2016 inclusive will be treated as “Secure, but with minor errors.”
  2. Sites secured with a SHA-1 certificate expiring on or after 1 January 2017 will be treated as “affirmatively insecure”.  The lock will have a red “X” over it with the letters “HTTPS” crossed out with a red font as in this example provided by Google.

google-blog-3.png

Here is a matrix to help you understand the dates:

Sample Expiration Dates

Chrome Version (Beta dates)

SHA-1

(Dec 31 2015)

SHA-1

(Jan 1 – May 31  2016)

SHA-1

(Jun 1 – Dec 31 2016)

SHA-1

(Jan 1 2017 and beyond )

Recommended:

SHA-2

Chrome 39

(Sept. 2014)

google-blog-4.png

google-blog-4.png

google-blog-4.png

google-blog-5.png

google-blog-4.png

Chrome 40

(Nov. 2014)

google-blog-4.png

google-blog-4.png

google-blog-5.png

google-blog-6.png

google-blog-4.png

Chrome 41

(Q1 2015)

google-blog-4.png

google-blog-5.png

google-blog-5.png

google-blog-7.png

google-blog-4.png

Moral of the story: Move to SHA-2, especially if your SSL certificate expires after December 2015.

What you need to do.

  1. Use our SSL Toolbox to see if your certificates are affected.  SHA-1 SSL certificates expiring before 2016 are NOT affected and can be replaced with a SHA-2 certificate at renewal time if you wish.
  2. If your Symantec certificates are affected you can replace them at no additional charge for a SHA-2 certificate, or a SHA-1 certificate with a validity that does not go past 2015.  Check with your vendor if they have a free replacement program like Symantec.
  3. Install your new certificates.
  4. Test your installation using the SSL Toolbox.
  5. Security Best Practice:  Revoke any certificates that were replaced in step #2.

For more in-depth information, instructions, and assistance please refer to our knowledge center article on this subject.  For a list of SHA-2 supported and unsupported applications review this list from the CA Security Council.

Read our SHA-2 webpage for the tools, steps to take, and a list of FAQs that can be generally applicable across all browsers.

  • Products
  • Google Chrome
  • website security solutions
  • Symantec Website Security
  • SHA
  • SHA-1
  • chrome
  • DigiCert Complete Website Security
  • Products and Solutions
  • Google