Google Works To Sunset SHA-1 In Chrome
Google will begin warning users when accessing HTTPS sites whose certificate chains are using SHA-1, due to this cryptographic hash algorithm being weak.
Due to SHA-1 being weak and Internet security threats only increasing, with the release of Chrome 39 later this year they're starting to bid farewell to HTTPS certificate signatures using SHA-1. There's already been a large push away from using SHA-1 by all Internet players due to its weakness to attack.
With Chrome 39 SHA-1-based signatures will be treated as secure but with errors, Chrome 40 will then begin treating them as neutral, and Chrome 41 will treat the certificates as "affirmatively insecure". This change is about SHA-1-signed certificates that don't expire until after 1 January 2017.
More details via this Chromium blog post.
Due to SHA-1 being weak and Internet security threats only increasing, with the release of Chrome 39 later this year they're starting to bid farewell to HTTPS certificate signatures using SHA-1. There's already been a large push away from using SHA-1 by all Internet players due to its weakness to attack.
With Chrome 39 SHA-1-based signatures will be treated as secure but with errors, Chrome 40 will then begin treating them as neutral, and Chrome 41 will treat the certificates as "affirmatively insecure". This change is about SHA-1-signed certificates that don't expire until after 1 January 2017.
More details via this Chromium blog post.
23 Comments