An aggressive policy to remove SSL/TLS certificates signed with the SHA-1 hashing algorithm was announced in November 2013 by Microsoft. The SHA-1 hashing algorithm is was considered weak to collision attacks, so the goal was to move to the stronger SHA-2 family of hashing algorithms. The hash is a cryptographic representation of the certificate, which is used in certificate validation. It should be hard to have a hash collision where two certificates have the same hash. As SHA-1 is weak, the SSL/TLS industry now signs certificates mostly with the SHA-256 version. SHA-1 Deprecation Program The SHA-1 deprecation program required that certification authorities (CAs) stop signing with SHA-1 as of January 1, 2016. The goal would then have Windows stop trusting SHA-1 signed SSL/TLS certificates in 2017. Apple, Google and Mozilla all support the deprecation plan. The good news is the certificate subscribers have been very efficient at upgrading to SHA-2 signed certificates. Recent data from Netcraft shows that about only 2.5-percent of certificates found in their monthly SSL survey are signed with the SHA-1 hash.
Netcraft SSL Survey – November 2016Other surveys indicate the percentage may be quite a bit higher. Please note that the certificate subscribers have been focusing their energy on upgrading the publicly trusted certificates that are used by browsers. In other use cases, the certificate may be implemented in a server-to-server mode or may be issued from a private trust CA, which is not impacted by the SHA-1 deprecation plan. Also note that some subscribers have picked a certificate expiry date of December 31, 2016, so we anticipate a large move to SHA-2 in late December. When will Browser Users be Impacted? It is anticipated that all popular browser will show errors for SHA-1 signed SSL/TLS certificates in 2017: