SHA-1 Certificate Deprecation

Owned by Michael McNulty
Last updated: Oct 10, 2014

Background

SHA (secure hash algorithm) is used with certificates as part of the SSL protocol for cryptographically securing Internet communications for web sites, e-mail and other Internet services.  The original SHA method used for signing certificates, known as SHA-1 (160-bit signatures) is no longer cryptographically strong for today's Internet.  This is the result of increasing computational power available in today's computers and new algorithms and approaches that allow these smaller key sizes and generation techniques to be more easily exploited. 

As a result of these weaknesses, the Internet community and certificate providers are moving to SSL certificates that were generated using the more secure SHA-2 (256-bit and 512-bit signatures) algorithm.  In parallel, the major Internet browser providers (Google, Microsoft, Mozilla, Safari) are working towards updating their browsers, such that users accessing web sites that are still using certificates signed with the older SHA-1 algorithm will warned the user that the site is insecure. 

Google's Deprecation timeline

Google is taking the most aggressive approach towards deprecating SHA-1 certificates, as shown in the chart below. TTS has already started to convert all SHA-1 certs and will complete the process by end of 2014.

Release version

Branch Point

release date

Stable version

release date

(when it’ll take effect)

Cert expiration

Browser

indicator

Security

status

Chrome 39 Branch Point 26

September 2014

November 2014

On or after Jan 1, 2017

Yellow triangle

 

Secure, but with minor errors

Chrome 40 Branch Point 7

November 2014

January 2015

Between June 1, 2016 and Dec 31, 2016

Yellow triangle

Secure, but with minor errors

On or after Jan 1, 2017

Blank page icon

Neutral, lacking security

Chrome 41, branch point Q1 2015

2015Q1

+6-8 weeks

Between Jan 1, 2016 and Dec 2016

Yellow triangle

Secure, but with minor errors

On or after Jan 1, 2017

Affirmatively insecure

Lock with red X

 

Additional Details:

Microsoft: <http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx>

Mozilla: <https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/>

Google:  <http://www.scmagazine.com/google-acceleration-of-sha-1-deprecation-draws-resistance/article/369804/>

Information on the Tufts IT Knowledgebase is intended for IT Professionals at Tufts.
If you have a question about a Tufts IT service or computer/account support, please contact your IT support group.