Google announced on September 5, 2014, that Chrome will sunset SHA-1 by providing security warnings through the popular browser.
SHA-1 is a secure hash algorithm used when signing SSL certificates. SHA-1 provides a unique 160-bit hash value representing the certificate. The hash value is designed so it cannot be the same for two different certificates. Unfortunately, over time, the hashing algorithm becomes weaker due to the increase in computing power.
SHA-1 has been determined to be weak to collision attacks. As such, Microsoft presented a SHA-1 Deprecation Policy in November 2013, which gave three years’ notice to sunset SHA-1:
With the September policy announcement, Google has given two to six months’ notice to sunset SHA-1. Google will provide security warnings through Chrome releases 39, 40, and 41, which will be available through the fall of 2014 to early 2015. For SHA-1 certificates expiring in 2017, the warnings in the status bar will progress to indicate “secure with minor errors” to “affirmatively insecure.”
Note: This diagram is for planning purposes only. Google has yet to officially announce upcoming Chrome release dates. All timelines are approximations based on past releases and should not be considered final.
To mitigate this risk, Entrust recommends the following:
If you use SSL certificates and need more information, please contact Entrust or your CA. If you would like to provide feedback to Google, please join the intent to deprecate online discussion.
Updated September 10, 2014: Ivan Ristić provides support on SHA-1 deprecation.
Updated September 24, 2014: Mozilla states its SHA-1 position.
Updated January 26, 2015: Google Chrome 40 was released on January 23, 2015. We expect Chrome 41 to be released approximately 6 weeks later, so about March 6, 2015. Please visit our website for more information on migration from SHA-1 to SHA-2.