chrome_download_google card

Chrome To Cut Support For SHA-1 Certificates

December 21, 2015 - Written By Daniel Fuller

 

In the face of wave upon wave of data breaches, hacks and friendly neighborhood white hat hackers finding and reporting exploits almost daily, security on the web has never been a bigger thing. Google, Mozilla, Microsoft and many others have thrown in their hats to help with user security. With the debate about encryption raging on between tech companies and governments, it may be a bit surprising to hear that an encryption standard that’s over a decade old is still in use.

SHA-1, the encryption algorithm that powers most secure sites’ SSL certificates, has never had a fan in Google. Websites bearing an https:// URL as opposed to http://, normally trusted by users, are unsafe and should be treated with extreme caution, according to Google. Chrome version 48 will begin showing a certificate error upon encountering such a site, telling the user that their connection is not private. This move is slated for January of 2016. SHA-1 certificates can no longer legally be issued in 2016, so most sites should be updating to the safer SHA-2 before applying for new certs. Sites that fail to update or provide fake credentials will be warned against in Chrome 48, with future versions blocking access to them entirely via a fatal network error. Though some may cry handholding or censorship, it’s not a far cry to say that most, if not all sites bearing SHA-1 certificates past the cutoff date wouldn’t have the best of intentions for your private information. Naturally, there may be a few stragglers sporting expired certificates whose intentions are genuine, but these will likely be few and far between.

Google is not the only company that feels this way about the aging encryption standard. Microsoft Edge and Mozilla Firefox have plans to begin phasing out and eventually blocking SHA-1 certificates in a similar time frame. Microsoft will take it a step further, blocking SHA-1 addresses at the OS level in Windows 7 and higher before Google’s cutoff in 2017. The fairly insecure standard, falling under attack by hackers, regulators and tech sites regularly, is supposed to have its sunset and be phased from the web entirely by 2017.