Google mulls catching up Mozilla, Microsoft to drop SHA-1 certs early

News by Rene Millman

Google considering following Mozilla and Microsoft footsteps and dropping support for insecure SHA-1 certificates earlier than expected

A month after Microsoft said it was planning to end support for TSL and SSL certificates using SHA-1, Google has now come out and said it too is planning to join Microsoft and Mozilla and end Chrome support for the flawed encryption.

In a blog post, Google said that starting in early 2016 with Chrome version 48, Chrome will display a certificate error if it encounters a site with a leaf certificate that is signed with a SHA-1-based signature, is issued on or after 1 January 2016 and chains to a public CA.

“We are hopeful that no one will encounter this error, since public CAs must stop issuing SHA-1 certificates in 2016 per the Baseline Requirements for SSL,” it said.

Last September, Google announced plans to end support for the SHA-1 algorithm used within online certificates, used to validate websites.

SHA-1 has been used as a hashing algorithm to encrypt websites and these hashes are 160 bits long. Google said the move was supported by further recent research. Back in 2012, it was estimated that cyber-criminals would be able to create fake certificates by 2018. Newer estimates by academics from the Netherlands-based Centrum Wiskunde & Informatica (CWI), Inria in France and the Nanyang Technological University in Singapore (NTU Singapore) found that the cost of breaking the cryptographic algorithm is "significantly lower than previously thought".

This means that the appearance of forged certificates is only a matter of time before it becomes a popular method of attack. Services that continue to rely on SHA-1-based digital signatures could be considered insecure.

The move means that three of the main internet browsers will mark SHA-1 certificates as insecure within the next couple of years.

"In line with Microsoft Edge and Mozilla Firefox, the target date for this step is January 1, 2017, but we are considering moving it earlier to July 1, 2016 in light of ongoing research," the Chrome team said. "We therefore urge sites to replace any remaining SHA-1 certificates as soon as possible."

It added that as individual TLS features are found to be too weak, browsers need to drop support for those features to keep users safe. “Unfortunately, SHA-1 certificates are not the only feature that browsers will remove in the near future,” it warned.

“Chrome 48 will also stop supporting RC4 cipher suites for TLS connections. This aligns with timelines for Microsoft Edge and Mozilla Firefox,” the firm added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews