Google Announces SHA-1 Deprecation Timeline

Google has announced its timeline for deprecating SHA-1 certificates, despite concerns expressed recently that sunsetting the broken encryption hashing algorithm will disconnect millions from the Internet.

SHA-1’s demise has been accelerated in recent months since researchers published a paper explaining that practical collision attacks could be months, instead of years, away.

Google, on Friday, announced that starting with Chrome 48 in early January, users will see error messages displayed if the browser encounters a site signed with a SHA-1 certificate issued on or after Jan. 1, 2016, 11 days from today. By Jan. 1, 2017, or possibly even as early as July 1, 2016, SHA-1 will be blocked altogether in Chrome. Microsoft has already announced it will start blocking SHA-1-signed certs in June 2016.

At this point, sites that have a SHA-1-based signature as part of the certificate chain (not including the self-signature on the root certificate) will trigger a fatal network error,” Google said in its announcement. “This includes certificate chains that end in a local trust anchor as well as those that end at a public CA.”

Microsoft and Mozilla are on similar timelines for ending support for SHA-1, and urge site operators to support SHA-2, drop support for non-RC4 cipher suites, and implement TLS.

In the meantime, Facebook and CloudFlare recently made public pleas to reexamine the path forward on SHA-1. Facebook chief security officer Alex Stamos shared data that shows that up to 7 percent of browsers in use do not support SHA-256, for example, and that tens of millions will be cut off from the Internet as of next Friday.

“A disproportionate number of those people reside in developing countries, and the likely outcome in those counties will be a serious backslide in the deployment of HTTPS by governments, companies and NGOs that wish to reach their target populations,” Stamos wrote.

CloudFlare CEO Matthew Prince, meanwhile, made his case by pointing out that unlike when MD5 was put out to pasture and SHA-1 support was widespread, the same cannot be said for SHA-2, which is also not supported on older mobile devices.

“In a Silicon Valley tech company, where most employees get a new laptop every year and having a 5-year-old phone is unheard of, this may not seem like a problem. But the Internet is used by billions of people around the world and most of them don’t have the latest technology,” Prince said. “To understand the impact, we spent the last few weeks testing browser connections to CloudFlare’s network for SHA-2 support. We see approximately 1 trillion page views for more than 2.2 billion unique visitors every month, which gives us a pretty representative sample of global traffic.”

Prince said approximately 37 million could be cut off from the Internet by the SHA-1 deprecation. Stamos, meanwhile, proposed that the CA/Browser Forum create a new Legacy Verified certificate that would issued to organizations that have made SHA-256 certs available to moder browsers.

“Such verification can be automated or manual, and appropriate measures can be put in place to reduce the risk of a collision attack. Those protections could include requiring LV applicants to have already passed OV or EV verification, as well as technical best practices such as serial number randomization,” Stamos wrote. “If this change cannot be implemented by December 31st, then we call on the CA/B Forum to delay the implementation of the SHA-1 rules for the period necessary to establish standards for Legacy certificates.”

The rush began in earnest in October when an academic paper demonstrated with some measure of practicality that tweaks to existing attacks and advances in the analysis of SHA-1 drastically reduce the cost and time to generate a collision attack against SHA-1, dropping the cost down to between $75,000 and $100,000 USD and trimming down the time to between 49 and 78 days, both well within reach of resourced nation-state attackers and higher end cybercrime outfits.

“This is not an easy issue, and there are well-meaning people with good intentions who will disagree,” Stamos said. “We hope that we can find a way forward that promotes the strongest encryption technologies without leaving behind those who are unable to afford the latest and greatest devices.”