Skip to main content

Chrome To Block Sites With New SHA-1 Certificates Next Year

In a recent blog post, Google announced that starting early next year, Chrome will block websites that use SHA-1-signed certificates issued after January 1, 2016.

Google was the browser vendor to come out with the most aggressive timeline for deprecating the SHA-1 cryptographic algorithm, but recent research, showing a possible collision attack for around $100,000, made everyone else more aware of the danger of extending SHA-1 support and accelerated their own deprecation schedules as well.

The Baseline Requirements for SSL now say that all CAs must stop issuing SHA-1 certificates in 2016, so this shouldn’t be an issue for most websites. Chrome, Firefox and Microsoft Edge promised to block all SHA-1 certificates starting in 2017, but Google said it could also block them as early as July 1, 2016, pending further research. Google urged web sites to replace their SHA-1 certificates with SHA-2 certificates as early as possible.

Although its official timeline for SHA-1 deprecation remains January 2017, Microsoft has already said that it’s considering blocking all SHA-1 certificates beginning in June 2016 (opens in new tab). Because Chrome uses the default Windows certificate root store, it could also be forced to block SHA-1 certificates whenever Microsoft’s browsers start doing it.

Google also announced that Chrome 48 will drop support for all RC4 cipher suites, because they have been found to be too weak in the past few years, making users unsafe. Firefox and Edge have similar timelines for RC4 deprecation.

For compatibility as well as strong security, Google recommended web site operators to ensure that their servers “use SHA-2 certificates, support non-RC4 cipher suites, and follow TLS best practices.” It also said most sites should support TLS 1.2 and prioritize the ECDHE_RSA_WITH_AES_128_GCM cipher suite, which supports “forward secrecy” (key rotation) for harder to intercept connections.

______________________________________________________________________

Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.

Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • BulkZerker
    Bad move Google. Blocking porn like that. /s
    Reply
  • vern72
    So what about SHA-256 and SHA-512? (Not exactly sure how that fits into things).
    Reply
  • turkey3_scratch
    Chrome allows you to click on advanced and whitelist a site anyway, so it never fully blocks you anyway, just servers a warning.
    Reply
  • blazorthon
    Chrome allows you to click on advanced and whitelist a site anyway, so it never fully blocks you anyway, just servers a warning.

    Of course, if you want to visit a site, then your computer shouldn't stop you completely. It's your choice to make. Warning you is all they should do.
    Reply
  • randomizer
    So what about SHA-256 and SHA-512? (Not exactly sure how that fits into things).

    These are both SHA-2 hash functions. SHA-1 and SHA-2 are families or generations rather than actual functions.
    Reply
  • hotroderx
    This is great so don't get me wrong but I always come to the same conclusion. Who is google to decide what sights are blocked? I mean shouldn't Goggle, Apple, Microsoft, Mozilla, and a 3rd party Independent company. Be the ones deciding as a unified body what happens? What happens if Google Suddenly decides they don't like XYZ. At this point in the game Google is such a large player. That they pretty much can shape and control the internet as they deem fit. It also kind of bites me the broken mess that is Android. I know a lot of people blame the cell phone carriers for not pushing updates. How many people realistically blame Dell, HP, Gateway, what have you when there computer breaks from not having a Windows update installed? Why isn't google more focused on fixing that then trying to solve other peoples issues?.
    Reply
  • blazorthon
    17177642 said:
    This is great so don't get me wrong but I always come to the same conclusion. Who is google to decide what sights are blocked? I mean shouldn't Goggle, Apple, Microsoft, Mozilla, and a 3rd party Independent company. Be the ones deciding as a unified body what happens? What happens if Google Suddenly decides they don't like XYZ. At this point in the game Google is such a large player. That they pretty much can shape and control the internet as they deem fit. It also kind of bites me the broken mess that is Android. I know a lot of people blame the cell phone carriers for not pushing updates. How many people realistically blame Dell, HP, Gateway, what have you when there computer breaks from not having a Windows update installed? Why isn't google more focused on fixing that then trying to solve other peoples issues?.

    The blocking is not complete; it is merely a warning. You can continue to the site if you want to.

    HP, Dell, and the rest don't have control over Windows Update, nor do they stop you from using it. The carriers have control and refuse to issue updates in a timely manner, if at all, so of course they are to blame.
    Reply