Blogs

    Publish
     
      • Google’s SHA-1 Deprecation Plan for Chrome

        Oct 20 2017, 8:36 PM

        by Brook Chelmo 1

        The latest news in the SSL and web browser industries is Google’s plans to deprecate SHA-1 in a unique way on upcoming releases of Chrome starting with version 39. Considerably different from Microsoft’s plans that were announced in November 2013, Google plans on placing visual marks or placing a block within the browser; all based on the version of the browser, date of use and certificate’s expiration date.

        Here is what you need to know first:

        1. SHA-1 is still safe to use but critics say its long-term ability to stand up to collision attacks is questionable.
        2. SHA-2 is the next hashing algorithm to be used.  If your end-entity or intermediate certificates are SHA-1, it might be a good idea to exchange them now.
        3. This issue faces all Certification Authorities, not just Symantec.
        4. All SHA-1 end-entity certificates and SHA-2 end-entity certificates chaining up to a SHA-1 intermediate are affected. SHA-1 root certificates are not affected by either Microsoft’s or Google’s SHA-1 deprecation plan.
        5. Google is using three terms that you may want to familiarize yourself with:
          1. secure, but with minor errors,
          2. neutral, lacking security, and
          3. affirmatively insecure.
        6. Symantec offers free replacements for affected Symantec SSL certificates.

        What we expect to see with future Chrome releases:

        Chrome 39 (Beta release: 26 September 2014, tentative production release: November 2014):

        1. Any SHA-1 SSL certificate, on a page, that expires on or after 1 January 2017 will be treated as “secure, but with minor errors”.  The lock within the address bar of the browser will have a yellow arrow over the lock as in this example provided by Google:

        google-blog-1.png

        Chrome 40 (Beta release: 7 November 2014, tentative production release: post-holiday season):

        1. Pages secured with a SHA-1 certificate expiring between 1 June 2016 and 31 December 2016 inclusive will experience the same treatment as described above.
        2. Additionally, pages secured with a SHA-1 certificate expiring after 1 January 2017 will be treated as “neutral, lacking security”.  The lock in the address bar will be replaced by a blank page icon as in this example provided by Google:

        google-blog-2.png

        Chrome 41 (Q1-Q2 2015):

        1. Sites secured with a SHA-1 certificate with validity dates terminating between 1 January 2016 and 31 December 2016 inclusive will be treated as “Secure, but with minor errors.”
        2. Sites secured with a SHA-1 certificate expiring on or after 1 January 2017 will be treated as “affirmatively insecure”.  The lock will have a red “X” over it with the letters “HTTPS” crossed out with a red font as in this example provided by Google.

        google-blog-3.png

        Here is a matrix to help you understand the dates:

        Sample Expiration Dates

        Chrome Version (Beta dates)

        SHA-1

        (Dec 31 2015)

        SHA-1

        (Jan 1 – May 31  2016)

        SHA-1

        (Jun 1 – Dec 31 2016)

        SHA-1

        (Jan 1 2017 and beyond )

        Recommended:

        SHA-2

        Chrome 39

        (Sept. 2014)

        google-blog-4.png

        google-blog-4.png

        google-blog-4.png

        google-blog-5.png

        google-blog-4.png

        Chrome 40

        (Nov. 2014)

        google-blog-4.png

        google-blog-4.png

        google-blog-5.png

        google-blog-6.png

        google-blog-4.png

        Chrome 41

        (Q1 2015)

        google-blog-4.png

        google-blog-5.png

        google-blog-5.png

        google-blog-7.png

        google-blog-4.png

        Moral of the story: Move to SHA-2, especially if your SSL certificate expires after December 2015.

        What you need to do.

        1. Use our SSL Toolbox to see if your certificates are affected.  SHA-1 SSL certificates expiring before 2016 are NOT affected and can be replaced with a SHA-2 certificate at renewal time if you wish.
        2. If your Symantec certificates are affected you can replace them at no additional charge for a SHA-2 certificate, or a SHA-1 certificate with a validity that does not go past 2015.  Check with your vendor if they have a free replacement program like Symantec.
        3. Install your new certificates.
        4. Test your installation using the SSL Toolbox.
        5. Security Best Practice:  Revoke any certificates that were replaced in step #2.

        For more in-depth information, instructions, and assistance please refer to our knowledge center article on this subject.  For a list of SHA-2 supported and unsupported applications review this list from the CA Security Council.

        Read our SHA-2 webpage for the tools, steps to take, and a list of FAQs that can be generally applicable across all browsers.

        • Products
        • Google Chrome
        • website security solutions
        • Symantec Website Security
        • SHA
        • SHA-1
        • chrome
        • DigiCert Complete Website Security
        • Products and Solutions
        • Google
      • SHA1 certificate shown as insecure or with mix content warning on Google Chrome 39

        Sep 09 2014, 8:59 AM

        by Robert Lin 1

        As of late 2014, SHA1 certificates and it's SHA1 trust chain (not including the Root CA) will be considered insecure by Google Chrome.

        A three step process will increase the severity of the warning:

        1. Initially SHA1 certificates that expire on/after 2017/1/1, and which contain SHA-1-based signatures in the validated chain, will be shown the "Secure, but minor errors" icon.  This is a lock with a yellow triangle alert icon
           
        2. Severity will increase thereafter, where:  
          SHA1 certificates that expire between 2016/6/1 and 2016/12/31, inclusively, and which contain SHA-1-based signatures in the validated chain, will be shown the "Secure, but minor errors" icon. This is a lock with a yellow triangle. alert icon

          SHA1 certificates that expire on/after 2017/1/1, and which contain SHA-1-based signatures in the validated chain, will be shown the "Neutral, no security" icon. This is the blank page icon, as shown by HTTP URLs. Blank page icon
           
        3. Finally Chrome will render websites with SHA1 certificates that expire on/after 2017/1/1 and which contain SHA-1-based signatures in the validated chain, with the "Affirmatively insecure, major errors" icon. The "Affirmatively insecure, major errors" icon is a lock with a red X. red https
           

        To resolve this issue SHA2 certificates must be installed.

        Google: Gradually sunsetting SHA-1

        What about the Cross Root Chaining? For example:
        Chain one : >>    (1) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca1(N/A)
        or
        Chain two : >>    (2) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca2(sha1)<- ca2-ca2(N/A)

        or
        Chain three: >>   (3) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca2(sha256) <- ca2-ca2(N/A)

        As per Ryan from Google:

        "On all of our platforms, it will prefer (1) if ca1 is trusted. It would only go to (2) if ca1 is not trusted.
        On the platforms where this is the case, the peer supplying ca1-ca2(sha256) as part of the handshake ensures that (3) is preferred, if ca2 is trusted."

        • Products
        • Google Chrome
        • Public Key Infrastructure (PKI)
        • Symantec Enterprise Security
        • Thought Leadership
        • Symantec Website Security
        • SHA1
        • DigiCert Code Signing
        • DigiCert SSL TLS Certificates
        • Security Community Blog
        • SHA256
        • Google