Chrome will show warnings on sites with sha-1 certificates
Google has announced that it will start warning users of the Chrome browser from early 2016 about websites that use sha-1 certificates. The company wants to completely block the hashing algorithm from January 2017 at the latest.
With this, Google announces on its security blog that Chrome will no longer regard the sha-1 certificates as secure. Therefore, starting in early 2016, the browser will display warnings when the user visits a website that uses the certificate. Initially, this only happens if the certificate was issued on or after January 1, 2016 and is linked to a public certificate authority. Google indicates that it will show a critical error on all websites that use a sha-1 certificate from January 1, 2017 at the latest, but is considering bringing this forward to July 1, 2016.
Google, Microsoft and Mozilla have already announced that they will be working on a solution for the security problem that the outdated sha-1 certificate entails. All three companies indicated that they would block the certificate after 1 January 2017. Microsoft then announced to push this date forward due to increasing security risks, such as the freestart collision attack in October. Google is considering the same for similar reasons.
The security issues with sha-1 certificates have been known for some time, but have only recently become relevant as it has become increasingly cheaper to attack the certificate. By means of collision or collisions it is possible to have a false certificate take the place of a legitimate certificate. As a result, the security of a connection can no longer be guaranteed. The sha-1 certificate is used to verify ssl/tls security of, for example, online payments.
In October, several companies, including Symantec and Microsoft, asked for a postponement to phase out sha-1 certificates. As of January 1, certificate authorities are no longer allowed to issue sha-1 certificates. The postponement was requested because not everyone has a browser that supports sha-2 certificates. This request was withdrawn after a team of cryptologists called for an earlier stop with sha-1 certificates when it became clear how relatively cheap and fast it can be attacked.