After Microsoft and Mozilla, Google Also Hurries to Block SHA-1 Certificates

Posted on

Google won’t lag behind Mozilla and Microsoft.Google has made the move that Mozilla and Microsoft had already announced more than a month ago, and that’s to reveal a revised cutoff date for SHA-1-signed certificates.

According to a recent blog post on the company’s security-themed blog, the company will begin showing a certificate error in Chrome starting January 1, 2016, for all newly issued SHA-1 certificates. Additionally, from January 1, 2017, all SHA-1 certificates will be blocked inside all versions of the Chrome browser.

“In line with Microsoft Edge and Mozilla Firefox, the target date for this step [blocking SHA-1 certificates] is January 1, 2017, but we are considering moving it earlier to July 1, 2016 in light of ongoing research,” explain Lucas Garron and David Benjamin, from the Google Chrome team.

SHA-1 deemed insecure by a recent research paper

The reason most browser vendors are fleeing away from SHA-1 is a recent research paper presented by three researchers from universities in France, Holland, and Singapore. In their study, the researchers were able to break the SHA-1 algorithm with much fewer hardware resources than previously thought, all at an acceptable price, much lower than initially estimated.

Since the cost of breaking SHA-1 was between $75,000 and $120,000 in server bills, easily affordable for cybercrime and state-sponsored groups, the researchers urged companies that still employed SHA-1 certificates to update as soon as possible.

The quickest to react was Mozilla, who, only two weeks later, announced to have established an early cutoff date for SHA1 certificates on January 1, 2017, with the possibility of pushing it to July 1, 2016, if new researcher came out to show the algorithm’s problems.

Two weeks after Mozilla, Microsoft’s Edge team announced the same thing, with the same January 1, 2017, cutoff date, and an optional July 1, 2016, date for emergency situations.

On the other side of the barricade, Facebook and CloudFlare were urging companies to continue to support SHA-1 certificates, but only for older browsers. The reason behind this campaign was the lack of any support for SHA-2 in older browsers. This would effectively cut off a large portion of people from Internet sites that employed modern HTTPS encryption.

Warning shown in Chrome browsers for outdated SHA-1 certs

Warning shown in Chrome browsers for outdated SHA-1 certs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s