Google’s SHA-1 Deprecation Plan for Chrome

The latest news in the SSL and web browser industries is Google’s plans to deprecate SHA-1 in a unique way on upcoming releases of Chrome starting with version 39. Considerably different from Microsoft’s plans that were announced in November 2013, Google plans on placing visual marks or placing a block within the browser; all based on the version of the browser, date of use and certificate’s expiration date.

What we expect to see with future Chrome releases:

Chrome 39 (Beta release: 26 September 2014, tentative production release: November 2014):

  • Any SHA-1 SSL certificate, on a page, that expires on or after 1 January 2017 will be treated as “secure, but with minor errors”.  The lock within the address bar of the browser will have a yellow arrow over the lock.

Chrome 40 (Beta release: 7 November 2014, tentative production release: post-holiday season):

  • Pages secured with a SHA-1 certificate expiring between 1 June 2016 and 31 December 2016 inclusive will experience the same treatment as described above.
  • Additionally, pages secured with a SHA-1 certificate expiring after 1 January 2017 will be treated as “neutral, lacking security”.  The lock in the address bar will be replaced by a blank page icon.

Chrome 41 (Q1-Q2 2015):

  • Sites secured with a SHA-1 certificate with validity dates terminating between 1 January 2016 and 31 December 2016 inclusive will be treated as “Secure, but with minor errors.”
  • Sites secured with a SHA-1 certificate expiring on or after 1 January 2017 will be treated as “affirmatively insecure”.  The lock will have a red “X” over it with the letters “HTTPS” crossed out with a red font.

GlobeSSL offers free replacements for affected GlobeSSL SSL certificates. If your GlobeSSL certificates are affected you can replace them at no additional charge for a SHA-2 certificate from the following URL : https://confirm.globessl.com/cm.html



Wednesday, September 24, 2014

« Back