Google won’t lag behind Mozilla and Microsoft.Google has made the move that Mozilla and Microsoft had already announced more than a month ago, and that’s to reveal a revised cutoff date for SHA-1-signed certificates.
According to a recent blog post on the company’s security-themed blog, the company will begin showing a certificate error in Chrome starting January 1, 2016, for all newly issued SHA-1 certificates. Additionally, from January 1, 2017, all SHA-1 certificates will be blocked inside all versions of the Chrome browser.
“In line with Microsoft Edge and Mozilla Firefox, the target date for this step [blocking SHA-1 certificates] is January 1, 2017, but we are considering moving it earlier to July 1, 2016 in light of ongoing research,” explain Lucas Garron and David Benjamin, from the Google Chrome team.
SHA-1 deemed insecure by a recent research paper
The reason most browser vendors are fleeing away from SHA-1 is a recent research paper presented by three researchers from universities in France, Holland, and Singapore. In their study, the researchers were able to break the SHA-1 algorithm with much fewer hardware resources than previously thought, all at an acceptable price, much lower than initially estimated.
Since the cost of breaking SHA-1 was between $75,000 and $120,000 in server bills, easily affordable for cybercrime and state-sponsored groups, the researchers urged companies that still employed SHA-1 certificates to update as soon as possible.
The quickest to react was Mozilla, who, only two weeks later, announced to have established an early cutoff date for SHA1 certificates on January 1, 2017, with the possibility of pushing it to July 1, 2016, if new researcher came out to show the algorithm’s problems.
Two weeks after Mozilla, Microsoft’s Edge team announced the same thing, with the same January 1, 2017, cutoff date, and an optional July 1, 2016, date for emergency situations.
On the other side of the barricade, Facebook and CloudFlare were urging companies to continue to support SHA-1 certificates, but only for older browsers. The reason behind this campaign was the lack of any support for SHA-2 in older browsers. This would effectively cut off a large portion of people from Internet sites that employed modern HTTPS encryption.