Google plans to retire SHA-1 certificates – and it may be sooner than anticipated.
SHA-1 – Heading For the Graveyard
SHA-1’s demise has been certain for a decade – it was shown to be theoretically vulnerable to attack as early as 2005. Current plans drawn up by the CA/B Forum (the industry’s trade association) will halt creation of new SHA-1 certificates as of January 1, 2016 and deprecate all SHA-1 certificate use by January 1, 2017.
Recent studies now suggest that SHA-1 will be compromised much sooner – and more affordably – than previously thought. Google and other technology companies are thus considering moving up their retirement deadlines. (A draft CA/B Forum proposal to allow limited SHA-1 certificate issuance through the end of 2016 was also put to rest – security cognoscenti want SHA-1 off the board as soon as humanly possible.)
Google’s Accelerated Retirement Plan
Google plans a two step process. In the first stage (already underway) SHA-1 certificates encountered by Chrome are flagged with warning messages and display cues. The second – complete rejection of all SHA-1 certificates – may be brought forward six months, to July 1 2016.
Both Mozilla and Microsoft are also considering this accelerated deadline for their browsers, while CloudFlare and Facebook are setting up workarounds for the small percentage of their users who have no alternative to SHA-1 certificates.
Check back with SSL.com – we’ll keep you up to date as this story develops.