Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


SHA1: Depreciation of SHA1 algorithm scheduled for 2015, 2016, 2017?

Microsoft

A few weeks ago Microsoft announced its decision to deprecate the use of SHA1 from January 2017 and to replace it by SHA256. All certificates and intermediates signed in SHA1 won't be recognized anymore and will provoke security alerts on all the products of the brand.

The reasons

Even if SHA1, the more widely used hash algorithm (98%), is still steady and will be for some time, SHA256 has been created to take over eventually in order to guarantee SSL security durability.

Microsoft chose to deprecate SHA1 on its own and for security matter, even though CA/B Forum has not yet recommanded anything of the sort.

Our Catalog

TBS INTERNET launched its own SHA256 certificates back in 2008 and has added Symantec, Thawte and Comodo SHA256 certificates to its range of products in 2013. We are currently able to meet any need in SHA256 and will also be there to guide you through this transition.

The Authorities

In 2013 Symantec and Thawte launched their SHA256 certificates offer. They are available in our catalog.

GlobalSign has scheduled its SHA256 certificates release for 2014. TBS is prearing to add those to its range of products when they are available.

It will then be possible to request a GlobalSign SHA256 certificate or to reissue a SHA1 certificate to get its SHA256 counterpart.

Code signing certificates

The deadline for code Signing certificate is set for January 1 2016, but note that:

  • Windows will stop accepting SHA1 code signing certificates without time stamps after 1 January 2016
  • SHA1 code signing certificates that are time stamped before 1 January 2016 will be accepted until such time when Microsoft decides SHA1 is vulnerable to pre-image attack.

Client certificates

Microsoft has not yet defined a date for blocking SHA1 client certificates. But it warns Certification Authorities that they "should expect SHA1 certificates issued after 1/1/2017 may stop working at any time".

Microsoft provisional calandar

January 1, 2016 January 1,2017
Microsoft will cease trusting Code Signing Certificates using SHA-1 Microsoft will cease trusting server Certificates using SHA-1

Important: Microsoft will re-examine the impact of this Policy at mid-term (July 2015).

UPDATE 20161108: Microsoft finally postponed the end of SHA1 support for server certificates to February 2017. Further information on Microsoft website.

Google Chrome

Google announces a plan aiming to deprecate SHA1 progressively on its Chromium browser.

A specific display will be launched during the 4th quarter of 2014. It is not an alert but a visual element in the address bar indicating an error. It will evolve like this:

Certificate expiration Chrome 39
Quarter 4 - 2014
Chrome 40
January 2015
Chrome 42
Quarter 2 - 2015
After 2017-01-01 minor neutral insecure
After 2016-06-01 - minor neutral
After 2016-01-01 - - minor

According to the chart above, a SHA1 certificate expiring after January 1st, 2016 will trigger a "minor" security error from version 41 of Chrome (see visuals below).


minor

neutral

insecure

Alert messages on Chrome

  • For EV (Extended Validation) certificates these alerts, even the minor ones, go along with the deactivation of the green URL bar on Google Chrome.

  • On Chrome Windows, if you click on the padlock / yellow triangle, messages appears if you keep using SHA1-signed certificates. For example:

    "The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it."

    or:

    " Your connection to www.mydomain.com is encrypted with obsolete cryptography. "

    " This site uses a weak security configuration (SHA-1 signatures), so your connection may not be private. "

Troubleshooting: Request, from your certificate status page, a free reissuance of your certificate and select SHA256 hash option.
If the reissuance form doesn't propose SHA256 option you can request a new certificate or renew the existing one: http://www.tbs-certificats.com/

Mozilla

Mozilla decided to agree with the positions of Microsoft and Google that SHA-1 certificates should not be issued after January 1, 2016, or trusted after January 1, 2017.

After January 1, 2016, Mozilla plans to show the “Untrusted Connection” error whenever a newly issued SHA-1 certificate is encountered in Firefox. After January 1, 2017, they plan to show the “Untrusted Connection” error whenever a SHA-1 certificate is encountered in Firefox.

Untrusted Connection:

CA/B Forum

After the announcement of Microsoft, Google or Mozilla to depreciate SHA1 in the next few months or years, it has been officially announced by the CA/B forum that SHA1 will no longer be accepted after December 31, 2014.It is no longer possible to obtain a SHA1 certificate expiring after this date and no SHA1 certificate will be delivered after January 1st, 2016.

-> All the deadlines regarding SHA1 disappearance

Case study

Alert: "This site makes use of a SHA-1 certificate"

Despite the acquisition and the installation of a SHA256-signed SSL certificate to secure your website, the browser keep displaying an alert such as:

"This site makes use of a SHA-1 certificate; It's recommanded you use certificates with signature algorithms that use hash functions stronger than SHA-1."

Troubleshooting: Make sure your HTML pages do not use external resources (Javascript, CSS, Google Fonts, api AJAX...) on servers that may be secured but still using SHA-1 signed certificates.

Noticeable examples to this day:

  • (March 2015): https://ajax.googleapis.com/
  • (March 2015): https://www.google.com/fonts
  • (March 2015): https://www.google.fr/
  • (March 2015): https://www.gmail.com/

Windows XP not SHA256-compatible

Updating a large computer park can take some time. It is the case in instituations still using machines under Windows XP (with a version of Internet Explorer released before version 7 or under Windows XP SP2-). These OS / Browsers cannot connect to servers using a SHA256-signed certificate.

Intermediate solution:

  • Your server, to be compliant with the new security standard will eventually have to use a SHA256-signed certificate.

  • Regarding the user machines still under windows XP SP2 and that cannot be updated quickly, you can still install / use for free software from Mozilla (Firefox browser, Thunderbird email reader...) and access SHA256-secured sites.

Useful links

Check your certificate installation with Co-Pibot:

In your Certificates' center, on your certificate's status page you'll see a "check your certificate" button. Click it to make sure your certificate has correctly been installed.


Error messages that can be encountered on a browser


Further information