In a recent blog post, Google announced that starting early next year, Chrome will block websites that use SHA-1-signed certificates issued after January 1, 2016.
Google was the browser vendor to come out with the most aggressive timeline for deprecating the SHA-1 cryptographic algorithm, but recent research, showing a possible collision attack for around $100,000, made everyone else more aware of the danger of extending SHA-1 support and accelerated their own deprecation schedules as well.
The Baseline Requirements for SSL now say that all CAs must stop issuing SHA-1 certificates in 2016, so this shouldn’t be an issue for most websites. Chrome, Firefox and Microsoft Edge promised to block all SHA-1 certificates starting in 2017, but Google said it could also block them as early as July 1, 2016, pending further research. Google urged web sites to replace their SHA-1 certificates with SHA-2 certificates as early as possible.
Although its official timeline for SHA-1 deprecation remains January 2017, Microsoft has already said that it’s considering blocking all SHA-1 certificates beginning in June 2016 (opens in new tab). Because Chrome uses the default Windows certificate root store, it could also be forced to block SHA-1 certificates whenever Microsoft’s browsers start doing it.
Google also announced that Chrome 48 will drop support for all RC4 cipher suites, because they have been found to be too weak in the past few years, making users unsafe. Firefox and Edge have similar timelines for RC4 deprecation.
For compatibility as well as strong security, Google recommended web site operators to ensure that their servers “use SHA-2 certificates, support non-RC4 cipher suites, and follow TLS best practices.” It also said most sites should support TLS 1.2 and prioritize the ECDHE_RSA_WITH_AES_128_GCM cipher suite, which supports “forward secrecy” (key rotation) for harder to intercept connections.
Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.