Google follows Mozilla, Microsoft, to drop SHA-1 certificates early
SHA-1 might be a very important Internet security standard, but Google is of the opposite opinion along with other tech companies, who have stated that it is time to move to a newer, and a much more secure SHA-2 or SHA-3 algorithm. Microsoft was the first one to favor SHA-2 and Google and Mozilla has also announced that after January 1, 2017, their browsers would stop accepting SHA-1 based certificates.
Both Mozilla and Google have made the move much earlier than expected. According to Google’s Lucas Garron, the head of Chrome security, has stated the following concerning the company’s decision to move to a much more secure algorithm:
“As individual TLS features are found to be too weak, browsers need to drop support for those features to keep users safe. Unfortunately, SHA-1 certificates are not the only feature that browsers will remove in the near future.
As we announced on our security-dev mailing list, Chrome 48 will also stop supporting RC4 cipher suites for TLS connections. This aligns with timelines for Microsoft Edge and Mozilla Firefox.
For security and interoperability in the face of upcoming browser changes, site operators should ensure that their servers use SHA-2 certificates, support non-RC4 cipher suites, and follow TLS best practices. In particular, we recommend that most sites support TLS 1.2 and prioritize the ECDHE_RSA_WITH_AES_128_GCM cipher suite. We also encourage site operators to use tools like the SSL Labs server test and Mozilla’s SSL Configuration Generator.”
Websites that have a SHA-1-based signature will begin to trigger a fatal network error. From July 1, 2016, the Chrome browser will start to block websites that rely on the SHA-1 certificate. Our earlier report suggested that even Facebook predicts that between 3 and 7 percent of all web browsers will be too obsolete to use SHA-2. SHA-1 offers several security measures over its predecessor. However, SHA-1 is omnipresent in developing and in third world countries, where individuals have limited to no knowledge about web security at all. Additional statistical data suggests that SHA-2 is supported by at least 98.31 percent of browsers worldwide, and the remaining 1.69 percent comprises up of 37 million people.
CloudFlare also states that the cost to continue SHA-1 generation would reach to about $700,000, but will gradually decrease overtime since more and more websites will begin to adopt SHA-2 certificates.