[Dev] HEADS UP: Google Chrome is "Gradually sunsetting SHA-1" SSL certificates
Oliver Schonefeld
schonefeld at ids-mannheim.de
Thu Sep 18 10:27:57 CEST 2014
Hi developers,
Google will deploy changes in their certificate security evaluation
algorithms pretty soon, staring 2014-11 with Chrome 39.
Depending on when the certificate will expire, Google chrome will mark
sites that use SHA-1 based signature signed SSL certificates as "secure,
but with minor errors” (a lock icon with a yellow warning sign). As of
Q1 2015, those sites may be marked as "affirmatively insecure" (crossed
out red lock icon).
It is not sufficient to just renew the certificate of the server, but
the complete certificate chain up to the root must be "SHA-1 free". When
in doubt, you should check with your certification authority (CA).
For details about Googles plans, see
http://googleonlinesecurity.blogspot.de/2014/09/gradually-sunsetting-sha-1.html
Please note, Microsoft is also phasing out SHA-1 signed certificates,
but they are not as aggressive as Google is:
http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
If you want to assess the overall quality of your SSL setup, SSLLabs has
a nice "SSL Server Test" online at
https://www.ssllabs.com/ssltest/
Make sure to check the "Do not show the results on the boards", if you
don't want your server to appear the lists below!
Best,
Oliver
--
Oliver Schonefeld
Institut für Deutsche Sprache, Zentrale Forschung
R5, 6-13, D-68161 Mannheim
+49-(0)621-1581-451 | http://www.ids-mannheim.de
More information about the Dev
mailing list