Microsoft,Google and Mozilla will stop SHA-1 SSL cert support from 2017
SHA-1 is no longer considered secure against well-funded opponents. In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use, and since 2010 many organizations have recommended its replacement by SHA-2 or SHA-3. Microsoft, Google and Mozilla have all announced that their respective browsers will stop accepting SHA-1 SSL certificates by 2017.
SHA-1 was a very popular hashing algorithm and the news is that the browser support will be stopped by Microsoft, Google and Mozilla from Jan 2017.
On February 14, 2017, Microsoft will release an update to Microsoft Edge and Internet Explorer 11 that will display an Invalid Certificate warning page alerting users that their connection is not secure.
In February 2017, there will be no impact for roots that are not included in Microsoft Trusted Root Program, such as enterprise or self-signed roots that you’ve chosen to trust.
A cross-certificate signed with for a Microsoft Trusted Root that chains to your own root would not be impacted in February 2017.
Sites with end-entity certificates that expire between 1 January 2016 and 31 December 2016 (inclusive), and which include a SHA-1-based signature as part of the certificate chain, will be treated as “secure, but with minor errors”.
Sites with end-entity certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as “affirmatively insecure”. Subresources from such domain will be treated as “active mixed content”.
The current visual display for “affirmatively insecure” is a lock with a red X, and a red strike-through text treatment in the URL scheme.
In early 2017, Firefox will show an overridable “Untrusted Connection” error whenever a SHA-1 certificate is encountered that chains up to a root certificate included in Mozilla’s CA Certificate Program. SHA-1 certificates that chain up to a manually-imported root certificate, as specified by the user, will continue to be supported by default; this will continue allowing certain enterprise root use cases, though it is strongly recommended to migrate away from SHA-1 as quickly as possible.
This policy has been included as an option in Firefox 51, and planed to gradually ramp up its usage. Firefox 51 is currently in Developer Edition, and is currently scheduled for release in January 2017.
What we should do?
Below are few recommendations to avoid errors like Untrusted certificate;Certificate not recognized; Connection can’t be established etc..
- Ensure new certificate and their chains use SHA256
- Replace SHA1 certificates that expire after 2016 considering below facts.
1. Older server platforms might not be able to support SHA256 certificates.
2. Some older clients don’t support SHA256.
- you should no longer consider any SSL certificate secure. If you have an SSL site, it should be migrated to TLS 1.2 or later and that supports SHA-2