Website Protection: The end of SHA-1 Certificates
At Website Pipeline, we're dedicated to ensuring sites are not only secure, but also available to the widest audience. In the coming months, both Google's Chrome browser and Mozilla's Firefox browser are changing their policy with respect to certain website certificates. We are aware of these changes, and need to make our customers aware to ensure customer sites continue to be secure and available to all visitors.
Google Chrome, Mozilla Firefox and SHA-1
Google will be making changes to its Chrome browser in upcoming versions to change
the way they treat certain website certificates based on their digital signature.
These changes affect over 80% of websites. Starting in Chrome 39 (to be released this month, November 2014), certificates signed with a SHA-1 signature algorithm will be considered less trusted than those signed with a more modern SHA-2 algorithm. This change will be reflected
in the UI presented to web visitors. By Chrome 41 (early 2015), any website with a certificate that expires in 2016 or later will be shown as untrusted if either:
- The certificate is signed with a SHA-1 algorithm
- One of the certificates in its trust chain is signed with a SHA-1 algorithm
(roots are exceptions)
This post on the Chromium Blog outlines the schedule of the rollout. websites that want to remain trusted by Google Chrome need to either have a SHA-2 certificate or a SHA-1 certificate that expires before 2016. Otherwise, their site will appear to Chrome users with a warning like this:
Mozilla is also implementing a similar change in their Firefox browser in early 2015, marking SHA-1 certificates as untrusted if they expire in 2016 or later.
Chrome’s decision puts many website owners in a bind. Sites either have to re-issue their SHA-1 certificates with a shorter expiration period, or upgrade to SHA-2. The problem with upgrading is that not all web browsers support SHA-2 certificates. Notably, Windows XP SP2 does not support SHA-2 based certificates. Windows XP is still a popular operating system despite the fact that Microsoft no longer supports it. It is especially popular in China, the largest Internet market in the world.
Sites that use a SHA-2 certificate are inaccessible to these web users over https. GlobalSign has put together a comprehensive list of SHA-2 client support. Sites that have tried to upgrade to SHA-2 have seen a backlash due to browser incompatibility. In July, mozilla.org upgraded their site to use a SHA-2 certificate. In doing so they lost around 145,000
Firefox downloads per week due to browser incompatibility.
Even google.com (as of November 10, 2014) continues to use SHA-1 for compatibility reasons, despite the company’s push to deprecate SHA-1 in Chrome. To support both Chrome and Windows XP SP2 it’s necessary to use a SHA-1 certificate that expires before 2016.
Website Pipeline encourages our customers to upgrade to SHA-2 certificates as soon as possible. Please contact your Account Manager for assistance.