Earlier this year, both Google and Mozilla released versions of Chrome and Firefox with changes to their security indicators and updates for the SHA-1 deprecation. Both browsers feel that these changes will simultaneously help users recognize the risks of entering unsecure HTTP sites and urge site owners to upgrade to secure HTTPS connections.
In September and November of 2016, Google announced the two major changes they planned to make in Chrome 56, which they released near the end of January 2017.
Security Indicator Updates
The first change in Chrome 56 is updated security indicator icons for HTTP connections. Most importantly, sites that still use HTTP on pages that collect passwords, credit card details, or other sensitive information will be plainly marked “Not secure.”
In previous versions of Chrome, Google marked HTTP connections as not secure using only a neutral security icon, however, Google felt that the icon did not fully relay to users the lack of security of HTTP connections. Here is what the proposed change will look like:
Eventually, Chrome will mark unsecure HTTP pages in red lettering preceded by a red warning triangle.
The second change with Chrome 56 is ending support for SHA-1 in hopes that organizations will make the decision to transition to SHA-2. Although this change may come with some growing pains, transitioning to SHA-2 will strengthen security for an organization’s website and site visitors.
Using SHA-1 in Private PKIs
While Chrome 56 will not support SHA-1, Google recognizes there may be organizations who wish to continue using SHA-1 certificates within a private PKI. To give these organizations more time to make the move from SHA-1 to SHA-2, Google provides the EnableSha1ForLocalAnchors policy, which allows a SHA-1 certificate to be used in the certificate chain as long as it chains to a local trust anchor. While this policy is not intended to be a permanent solution, it will aid organizations in making the move to SHA-2. Google plans to remove the policy in January 2019.
Security Indicator Updates
In January 2017, Mozilla announced on the Mozilla Security Blog how they will treat HTTP sites that collect usernames and passwords: beginning with Firefox 51, the browser will display a grey lock icon with a red strike-through in the address bar.
In addition to the updated security indicator, Firefox 51 states “Connection is Not Secure,” which users can view in the connection tab.
Future versions of Firefox will eventually display the updated icon and connection tab for all HTTP sites and not solely for pages that collect passwords.
Firefox 51 will display a warning to users for any site that does not support SSL certificates using the SHA-2 hashing algorithm. These warnings began for Firefox beta users at the end of January 2017 and will affect others users later on.
In January 2017, Apple announced they will end support for SHA-1 in Safari and WebKit come spring 2017. This change will affect certificates included in the OS default trust store. Support will remain for SHA-1 root certificates, enterprise-distributed certificates, and user-installed certificates until late 2017.
Safari will also notify users of connections using SHA-1 signed certificates. Users will still be able to access sites using SHA-1 signed certificates, but they must click on the notification to load these sites.
Microsoft Edge and Internet Explorer 11
In November 2016, Microsoft released an update for their SHA-1 deprecation timeline. Microsoft plans to deprecate SHA-1 by mid-2017 in both Microsoft Edge and Internet Explorer 11. At that point, both browsers will prevent any site using a SHA-1 certificate from loading and will display an invalid certificate warning.
At this phase of their SHA-1 deprecation plan, SHA-1 certificates chaining to a trusted root CA will be the only ones affected. This will not affect manually installed enterprise or self-signed SHA-1 certificates. The next release of Windows 10 will block SHA-1 in the browser by default.
Moving Towards a Safer Internet
These updates to Chrome 56, Firefox 51, and Safari are critical to help bolster website security and make the web safer for users.
To ease the transition from SHA-1 to SHA-2, DigiCert offers simple steps and tools. There is still time to make the transition and our support team is available 24/7 if you need assistance at any point in the process.