The Final Countdown To The End of SHA-1
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

The Final Countdown To The End of SHA-1

Starting 2017, SHA-1 Warnings Will Get Ugly

We have written about SHA-1 a lot, but it can’t hurt to have one more reminder. We are only a few months away from 2017, and when we do enter January it will be the end of SHA-1. Seriously. Very very dead.

If you do not know about SHA-1, here is a one paragraph summary: To prove authenticity of SSL certificates, computers check the certificate’s signature. This signature is created with a cryptographic algorithm. For years, SHA-1 was the most widely used algorithm but it is now insecure and has been forbidden in all new certificates since the beginning of this year. Instead, you should be using SHA-2, the new industry standard.  Now you are caught up!

Currently, SHA-1 certificates are treated with safety gloves. Browsers usually take away the coveted padlock icon or display a subtle warning.

But In 2017, the gloves come off. All the major browsers – Chrome, Firefox, Internet Explorer 11, and Edge – will fully block SHA-1 certificates.

Chrome and Firefox will be the first to flip the switch. When Chrome 56 releases, which should be near the end of January, a full-page warning will be displayed for all SHA-1 certificates. Firefox 51, due out around the same time, will also show a similar warning.

end of sha-1

Microsoft’s browsers, Edge and Internet Explorer 11, will join in shortly after. Starting February 14th, 2017, their browsers “will prevent sites [using] a SHA-1 certificate from loading,” and present an invalid certificate error.

SSL Labs, one of the most popular (and free) tools for testing your website’s SSL configuration, will also be giving poor grades to SHA-1 certificates in 2017.

The errors in all these browsers will be overridable, but with warnings this severe you should expect the vast majority of users to leave your site. And eventually browsers will remove any bypassing altogether.

These behaviors will not apply (or be configurable) for locally imported/manually-installed roots. So, those of you still using SHA-1 with local trust you will have the ability to turn these off.

If you are still using SHA-1 you have very little time to get upgraded to a SHA-2 certificate. Remember, it is no longer possible to get publicly-trusted SSL certificates that use SHA-1. Even if you have an existing SHA-1 cert valid in 2017, browsers will still apply this treatment.

If you have any questions about SHA-1/SHA-2, or are still using SHA-1, please get in touch or leave a comment. We are here to help.