SHA-1 Support will be eliminated from popular browsers beginning in January 2017
SHA-1 is up. Starting in January 2017, Google Chrome – and the rest of the browser community shortly afterwards – will drop SHA-1 support and start making websites that still use SHA-1 SSL Certificates as unsecure.
This move was long overdue.
SHA-1 was the industry-standard hashing algorithm from 2011-2015, despite numerous security experts’ warnings that SHA-1 was vulnerable to some kinds of attacks. SHA-2 replaced SHA-1 as industrial standard in early 2016. Since then, all certificates must be issued with SHA-2 and the browser community had started setting deadlines for deprecation of SHA-1.
Now it is the deadline.
Sadly, not all institutions and businesses are ready for the transition. Security Strategy VP Kevin Bocek Per Venafi:
“There’s still a lot of work to be done. Large businesses are coming to us that either didn’t start yet, or tried to get going and didn’t make great progress … A lot of it’s because teams just don’t know where to get off.”
Venafi provides enterprise-level clients with cryptorelated services and solutions. 35 per cent of the site also uses SHA-1 certificates, according to the company’s report.
The migration issues are related to infrastructure for many businesses: they still use legacy systems and devices which can not support SHA-2. The cost of upgrading that much infrastructure can in this case be prohibitive.
Luckily there’s a solution there. If a company or organization acts quickly, a feature in Chrome 54 that will allow it to use SHA-1 support until January 1 , 2019, can still be made sure.
To do this site admins must use the code “EnableSHA1ForLocalAnchors.” Google will continue to make a distinction between certificates chained to a public certificate authority and certificates chained to local CAs.
Per Google Chrome Security Team member Andrew Whalley:
“We recognize that there may be rare cases in which a company wishes to make its own risk management decision to continue to use SHA-1 certificates… features requiring a secure origin, such as geolocation, will continue to work, but pages will be displayed as ‘neutral, lacking security.’ Without this policy set, SHA-1 certificates will not be trusted.
However, companies and organizations wishing to make use of Google’s SHA-1 provision need to be informed that there is no guarantee for this assistance. Google reserves the right to delete help in the event of a major cryptographic failure in SHA-1 before the 1-1-19 deadline.
So while this provision buys some time, hurrying up and migrating to SHA-2 is still imperative.
Officially, SHA-1 has over.