Starting January 2017, SHA-1 Support will be eliminated from popular browsers
SHA-1 is over. Starting in January 2017, Google Chrome – and soon after, the rest of the browser community – will remove SHA-1 support and start making websites that still use SHA-1 SSL Certificates as not secure.
This move has been a long time coming.
SHA-1 was the industry-standard hashing algorithm from 2011-2015, this despite the warnings of numerous security experts that SHA-1 was vulnerable to certain types of attacks. In early 2016 SHA-2 replaced SHA-1 as the industry standard. Since then, all certificates must be issued with SHA-2 and the browser community had begun to set deadlines to SHA-1 deprecation.
That deadline is now.
Unfortunately, not all companies and organizations are ready for the change. Per Venafi VP of Security Strategy Kevin Bocek:
There’s still a lot of work to be done. Large businesses are coming to us that either have not started yet, or have tried to start and did not make great progress… Much of it is that teams just don’t know where to start.
Venafi offers crypto-related services and solutions to enterprise level clients. Per the company’s research, 35% of the web still uses SHA-1 certificates.
For many businesses, the migration issues are related to infrastructure: they are still using legacy systems and devices that cannot support SHA-2. In this case, the cost of upgrading that much infrastructure can be prohibitive.
Fortunately, there’s a workaround. If a company or organization acts quickly, it can still make sure of a protocol in Chrome 54 that will allow it to make use of SHA-1 support through January 1, 2019.
In order to do this site admins must make use of the “EnableSHA1ForLocalAnchors” policy. Google will still distinguish between certificates chained to a public certificate authority and those chained to local CAs.
Per a member of the Google Chrome security team, Andrew Whalley:
We recognize there might be rare cases where an enterprise wishes to make their own risk management decision to continue using SHA-1 certificates… Features which require a secure origin, such as geolocation, will continue to work, however pages will be displayed as ‘neutral, lacking security.’ Without this policy set, SHA-1 certificates that chain to locally installed roots will not be trusted starting with Chrome 57, which will be released to the stable channel in March 2017… Note that even without the policy set, SHA-1 client certificates will still be presented to websites requesting client authentication.
However, companies and organizations that wish to make use of Google’s SHA-1 provision need to be aware that this support is not guaranteed. Google reserves the right to remove support before the 1-1-19 deadline in the event of a major cryptographic break of SHA-1.
So while this provision buys some time, it’s still imperative that you hurry up and migrate to SHA-2.
SHA-1 is officially over.