Articles in Root

Changes to Security Indicators in the Chromium Browser affecting SHA1 SSL Certificates

Solution

In late 2013, Microsoft announced that SHA1 certificates will not be accepted in Windows after January 2017.  At that time, QuoVadis changed its default issuance of SSL to SHA256.

 

(Update:  Microsoft has now moved the deprecation of SHA1 certificates in Windows to February 14, 2017.  In addition, SHA1 SSL certificates will lose the padlock indicator in Microsoft browsers in mid 2016.)

 

Concerned that large numbers of SHA1 certificates are still in use, the Chromium browser has announced plans to gradually degrade the security indicators for SHA1 SSL certificates in order to encourage server operators to upgrade to SHA256 now, rather than wait until the 2017 deadline.

 

QuoVadis recommends the replacement of existing SHA1 certificates using the new SHA256 certificate policies available in Trust/Link Enterprise.  Please contact QuoVadis support if you require assistance.

 

The Chromium changes affect any certificates which contain SHA1-based signatures in the validated chain.  In other words, the change affects both SHA1 SSL as well as SHA256 certificates issued from SHA1 intermediate CAs.  The algorithm used by the Root CA is not relevant.

 

Care should be taken to consider the certificates for “included” content on https pages.

  • Beginning with Chromium version M39, SSL certificates that expire on or after 2017/1/1 will be shown the "Secure, but minor errors" icon, with text indicating that the site will cease working in future versions of Chrome.

  • Beginning with Chromium version M40, SSL certificates that expire between 2016/6/1 and 2016/12/31 inclusively will be shown the "Secure, but minor errors" icon, with text indicating that the site will cease working in future versions of Chrome.

    In addition, SSL certificates that expire on or after 2017/1/1 will be shown the "Neutral, no security" icon, with text indicating that the site will cease working in future versions of Chrome.
     
  • Beginning with Chromium version M40, SSL certificates that expire between 2016/1/1 and 2016/12/31 inclusively will be shown the "Secure, but minor errors" icon, with text indicating that the site will cease working in future versions of Chrome.  Subresources loaded from sites using such certificates will cause a downgrade of the main indicator to the "Secure, but minor errors" icon, e.g. "passive" mixed content.

    Server certificates that expire on or after 2017/1/1 will be shown the "Affirmatively insecure, major errors" icon, with text indicating that the site will cease working in future versions of Chrome.  Subresources loaded from sites using such certificates will cause a downgrade of the main indicator to the "Affirmatively insecure, major errors" icon.

 

More information on the proposed Chromium changes may be found here and here.