Starting 2017, SHA-1 Warnings Will Get Ugly
We have written about SHA-1 a lot, but it can’t hurt to have one more reminder. We are only a few months away from 2017, and when we do enter January it will be the end of SHA-1. Seriously. Very very dead.
If you do not know about SHA-1, here is a one paragraph summary: To prove authenticity of SSL certificates, computers check the certificate’s signature. This signature is created with a cryptographic algorithm. For years, SHA-1 was the most widely used algorithm but it is now insecure and has been forbidden in all new certificates since the beginning of this year. Instead, you should be using SHA-2, the new industry standard. Now you are caught up!
Currently, SHA-1 certificates are treated with safety gloves. Browsers usually take away the coveted padlock icon or display a subtle warning.
But In 2017, the gloves come off. All the major browsers – Chrome, Firefox, Internet Explorer 11, and Edge – will fully block SHA-1 certificates.
Chrome and Firefox will be the first to flip the switch. When Chrome 56 releases, which should be near the end of January, a full-page warning will be displayed for all SHA-1 certificates. Firefox 51, due out around the same time, will also show a similar warning.
Microsoft’s browsers, Edge and Internet Explorer 11, will join in shortly after. Starting February 14th, 2017, their browsers “will prevent sites [using] a SHA-1 certificate from loading,” and present an invalid certificate error.
The errors in all these browsers will be overridable, but with warnings this severe you should expect the vast majority of users to leave your site. And eventually browsers will remove any bypassing altogether.
These behaviors will not apply (or be configurable) for locally imported/manually-installed roots. So, those of you still using SHA-1 with local trust you will have the ability to turn these off.
If you are still using SHA-1 you have very little time to get upgraded to a SHA-2 certificate. Remember, it is no longer possible to get publicly-trusted SSL certificates that use SHA-1. Even if you have an existing SHA-1 cert valid in 2017, browsers will still apply this treatment.
If you have any questions about SHA-1/SHA-2, or are still using SHA-1, please get in touch or leave a comment. We are here to help.