Google accelerates Chrome SHA-1 deprecation schedule

Increasing desire to be rid of SHA-1-signed certificates causes Google to join Microsoft, Mozilla in a likely acceleration of Chrome SHA-1 deprecation by six months.

Google announced last week that its plan to deprecate the SHA-1 algorithm in Chrome continues on schedule -- but...

that this schedule may be accelerated. The decision is based on continued research that shows that SHA-1 is more vulnerable than ever to collision attacks.

Also factoring in Google's decision are the recent announcements by Mozilla and Microsoft of their own plans to speed up their own SHA-1 deprecation schedules for Firefox and Edge. All three browser publishers had planned to end SHA-1 support completely by January 1, 2017 but are now considering ending SHA-1 support six months earlier, by July 1, 2016.

The first step of SHA-1 deprecation is on schedule with Chrome version 48, expected early in 2016.  That browser will display a certificate error when it encounters a site with a leaf certificate signed with a SHA-1 based signature that was issued on or after January 1, 2016. According to Google, "We are hopeful that no one will encounter this error, since public CAs must stop issuing SHA-1 certificates in 2016 per the Baseline Requirements for SSL." Another version of Chrome, later in 2016, may extend the criteria for excluding sites that are signed with certificates that have SHA-1 certs anywhere in their chains.

It is acceleration of the second step of SHA-1 deprecation that other browser publishers, and now Google, are considering. Google, Microsoft and Mozilla have now all announced plans to consider moving up the end of their support for SHA-1 certificates to July 1, 2016, from January 1, 2017, when support for SHA-1 is completely withdrawn. Google stated: "Sites that have a SHA-1-based signature as part of the certificate chain (not including the self-signature on the root certificate) will trigger a fatal network error. This includes certificate chains that end in a local trust anchor as well as those that end at a public CA."

Also to be deprecated in Chrome 48 is the RC4 encryption cipher, which was created in 1987. The IETF issued a ban on using the RC4 cipher suite in early 2015.

Next Steps

Find out how opportunistic encryption can enhance browser security.

Learn how Google's Certificate Transparency project caught bad certificates.

Learn more about how attackers leverage browser vulnerabilities.

Dig Deeper on User Authentication Services

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What effect will early deprecation of SHA-1 in all major browsers have on your organization?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close