Check your Website for SHA-1 Migration
Recently news came from Google that the search engine giant is in a mood to phase out the SHA-1 algorithm in its upcoming chrome browser version. We know that SHA-1 is still in use in many applications, protocols. However, due to some technical weakness SHA-1 seems unreliable and insecure against potential collision attack. After the announcement of Microsoft, Google and Mozilla also join the migration movement. Below we have gathered giants’ reviews and social media reactions to this movement.
According to Google Announcement, from November 2014, Google Chrome will start to cease support to SHA-1 algorithm in upcoming chrome versions -39, 40, and 41. Even Microsoft and Mozilla Firefox have already notified about retiring the SHA1 algorithm because SHA1 is susceptible to collision attack.
On Tuesday, Nov 12, 2013, Microsoft advisory commented on retiring SHA-1 algorithm.
“Since 2005 there have been known collision attacks (where multiple inputs can produce the same output), meaning that SHA-1 no longer meets the security standards for a producing a cryptographically secure message digest,"
Google lately, but wisely took steps for SHA-1 migration and announced that “We plan to surface, in the HTTPS security indicator in Chrome, the fact that SHA-1 does not meet its design guarantee. We are taking a measured approach, gradually ratcheting down the security indicator.”
Chrome, IE will no longer support SHA-1 certs expiring after 2016-2017. Good move, but will require work to renew! https://t.co/6TIu0JNxNE— Bruno Kerouanton (@kerouanton) September 25, 2014
Google Chrome takes on SHA-1 for improved Internet safety http://t.co/WcGeaKZ16p— ITProPortal (@ITProPortal) September 8, 2014
Mozilla declared in announcement “We plan to add a security warning to the Web Console to remind developers that they should not be using a SHA-1 based certificate. We will display an additional, more prominent warning if the certificate will be valid after January 1, 2017, since we will reject that certificate after that date.”
After Google’s announcement, the following types of errors will upcoming Chrome versions produce over a specific period: