Google announced last week that its plan to deprecate the SHA-1 algorithm in Chrome continues on schedule -- but...
that this schedule may be accelerated. The decision is based on continued research that shows that SHA-1 is more vulnerable than ever to collision attacks.
Also factoring in Google's decision are the recent announcements by Mozilla and Microsoft of their own plans to speed up their own SHA-1 deprecation schedules for Firefox and Edge. All three browser publishers had planned to end SHA-1 support completely by January 1, 2017 but are now considering ending SHA-1 support six months earlier, by July 1, 2016.
The first step of SHA-1 deprecation is on schedule with Chrome version 48, expected early in 2016. That browser will display a certificate error when it encounters a site with a leaf certificate signed with a SHA-1 based signature that was issued on or after January 1, 2016. According to Google, "We are hopeful that no one will encounter this error, since public CAs must stop issuing SHA-1 certificates in 2016 per the Baseline Requirements for SSL." Another version of Chrome, later in 2016, may extend the criteria for excluding sites that are signed with certificates that have SHA-1 certs anywhere in their chains.
It is acceleration of the second step of SHA-1 deprecation that other browser publishers, and now Google, are considering. Google, Microsoft and Mozilla have now all announced plans to consider moving up the end of their support for SHA-1 certificates to July 1, 2016, from January 1, 2017, when support for SHA-1 is completely withdrawn. Google stated: "Sites that have a SHA-1-based signature as part of the certificate chain (not including the self-signature on the root certificate) will trigger a fatal network error. This includes certificate chains that end in a local trust anchor as well as those that end at a public CA."
Find out how opportunistic encryption can enhance browser security.
Learn more about how attackers leverage browser vulnerabilities.