Last days of SHA1 SSL-certificates is coming. Certificates of this type based on a cryptographic hash, which is calculated using the SHA-1 algorithm. Recent studies have shown that the SHA1 algorithm is not as strong as previously thought. Although no one has yet created a SSL-certificate using the SHA-1 collision, many experts consider high risk of this situation. Option of a more complex algorithm SHA-1, called SHA-256, has been around for a long time, and it is as easy to operate. There is no reason to continue to use the SHA1 certificates, they can be easily replaced by a more secure solution.
As a result, the major browser makers put time limits, when their products will no longer trust the SHA-1 certificates. This news is very pleasant for all those who are worried about security:
- Chrome: в конце января следующего года с выходом версии 56 Chrome перестанет доверять SHA-1 SSL-сертификатам и будет выводить предупреждение.
- Mozilla Firefox: With the release of 51 in January, the browser will display an error untrusted connection, if the site is still using SHA1.
- Apple Safari: We do not have exact dates when Apple officially cease to trust the SHA-1 certificates. Fresh notes on MacOS release calling for to abandon SHA-1 as quickly as possible. Downloadable version of Sierra not derives a green padlock already, indicating the safety and reliability of the site.
- Microsoft Internet Explorer и Edge: starting from February 14, websites that will continue to use SHA-1 will have an unpleasant gift – sites will not load at all, but the user will be able to go to them, click at the warning.
It is worth noting that in most situations, self-signed certificates or certificates with SHA-1, installed by hand, will be supported by browsers.
Web sites that use the SHA-1, received a lot of warnings in order to move to a new algorithm – this includes well-known vulnerability Heartbleed. Calls to ensure that exclude SHA1 from the issuance of certificates, sounded as early as 2005. In 2012, NIST updated the security manual, considering the SHA-1 algorithm obsolete. In 2014, Google said that sites using SHA-1 SSL-certificates after 2016 will be fined in the issue.
Now the threat has become quite high. Fortunately, many site owners have already taken measures. Moziila noted that less than 1% websites today use the SHA-1 certificates. Although there are other assessment, saying that the SHA-1 certificates are installed on a third of all online sites.