SHA-1 Beyond December 31, 2015

Transition To SHA-2

Microsoft and Google® announced SHA-1 deprecation plans that may affect websites with SHA-1 SSL Certificates. Chrome version 39 and later will display visual security indicators on sites with SHA-1 SSL certificates with validity beyond January 1, 2016.

Trustico® News

Generel Meddelelse

Denne side er ikke tilgængelig på dit sprog eller forsætligt kun tilgængelig på engelsk. Hvis du har brug for denne hjemmeside på dit sprog eller ønsker yderligere information.

Kan du kontakte os for yderligere rådgivning.

SHA-1 To Be Depreciated In Chrome

Google® plans to deprecate SHA-1 in a unique way on upcoming releases of Chrome starting with version 39. Considerably different from Microsoft’s plans that were announced in November 2013, Google® plans on placing visual marks or placing a block within the browser; all based on the version of the browser, date of use and the SSL Certificate expiration date.

Important Facts

SHA-1 is still safe to use, but critics say its long term ability to stand up to collision attacks is questionable.

SHA-2 is the next hashing algorithm to be used. If your end entity or intermediate SSL Certificates are SHA-1, it might be a good idea to exchange them now.

This is an industry wide issue and affects all Certification Authorities.

All SHA-1 end entity SSL Certificates and additionally any SHA-2 end entity SSL Certificates chaining up to an SHA-1 intermediate are affected. SHA-1 root certificates are not affected by either Microsoft’s or Google’s SHA-1 deprecation plan.

All SSL Certificates issued by Trustico® before 1 October 2014 were likely issued with the SHA-1 hashing algorithm. Trustico® offers free replacements for affected SSL Certificates with an expiry date beyond 1 January 2016.

SSL Certificates with an expiration date before 1 January 2016 are not affected and do not need to be replaced.

What We Expect To See With Future Chrome Releases

The guide below outlines Google's depreciation program via its Chrome browser. Release dates should be used as a guide only, however, any beta versions of Chrome 39, 40, 41 and beyond are affected immediately.

Chrome 39 (November 2014)

Any SHA-1 SSL Certificate, on a page, that expires on or after 1 January 2017 will be treated as "secure, but with minor errors". The lock within the address bar of the browser will have a yellow arrow over the lock as in this example provided by Google® :

secure, but with minor errors

If your SHA-1 SSL Certificate expires beyond 1 January 2017 it must be replaced to avoid the above action within Chrome 39.

Chrome 40 (Post Holiday Season)

Pages secured with a SHA-1 SSL Certificate expiring between 1 June 2016 and 31 December 2016 inclusive will experience the same treatment as described above.

Additionally, pages secured with a SHA-1 SSL Certificate expiring after 1 January 2017 will be treated as "neutral, lacking security". The lock in the address bar will be replaced by a blank page icon as in this example provided by Google® :

neutral, lacking security

If your SHA-1 SSL Certificate expires beyond 1 June 2016 it must be replaced to avoid the above action within Chrome 40.

Chrome 41 (Q1 2015)

Sites secured with a SHA-1 SSL Certificate with validity dates terminating between 1 January 2016 and 31 December 2016 inclusive will be treated as "Secure, but with minor errors".

Sites secured with a SHA-1 SSL Certificate expiring on or after 1 January 2017 will be treated as "affirmatively insecure". The lock will have a red "X" over it with the letters "HTTPS" crossed out with a red font as in this example provided by Google® :

affirmatively insecure

If your SHA-1 SSL Certificate expires beyond 1 January 2016 it must be replaced to avoid the above action within Chrome 41. We recommend that all Trustico® customers replace SHA-1 SSL Certificates before the release of Chrome 41.

How To Replace Your Affected SSL Certificate

Issuance insurance will allow you to submit a new request for an SSL Certificate completely free of charge. Your SSL Certificate will be reissued with any existing validity that is remaining.

If an SSL Certificate order includes issuance insurance you must use the My Account section of our website to begin the issuance insurance process. We recommend generating a new Certificate Signing Request (CSR) and Private Key whenever reissuing an SSL Certificate.

If your order does not include issuance insurance or the option is not showing, please Contact Us for further assistance.