Who are Google, Mozilla and Microsoft friends against? Or SHA-1 is a thing of the past

    On September 5, 2014, the developers of the Chromium browser announced on their blog that by January 1, 2017, their browser would no longer support the SHA-1 hash algorithm. This algorithm is used (and used) to issue SSL certificates. All Chromium-based browsers (including Google Chrome) will no longer support SHA-1. This initiative of Google was supported also by Mozilla and Microsoft. The reference point can be considered the release of the Chrome browser version 39 at the end of November 2014.


    Why did you decide to abandon SHA-1?

    Almost all sites that use SSL to encrypt transmitted traffic have SSL certificates based on the SHA-1 hash algorithm.
    This algorithm was created in 2005 and for 9 years of use is already obsolete.
    Wikipedia has a description of this hashing algorithm and calculations with hacking options. And security specialist Bruce Schneier posted calculations on his blog.and the cost of finding collisions (when the same hash amount can correspond to two different messages), the price of these resources drops sharply every year. Thus, by 2018, conducting an attack will be relatively cheap and will be possible not only for government organizations / research centers, but also for some gangster groups.
    Therefore, to replace SHA-1, they suggest using SHA-2.

    What is the reaction of browser developers?
    Google
    In each version of the Google Chrome browser, an SSL connection security indicator will be displayed if the site uses a certificate with the SHA-1 algorithm in the appropriate form.

    Timeline for the release of new versions of Chrome browsers and related indicators:



    Mozilla
    Mozilla supported the Google initiative and also painted information on refusing to work with certificates signed using SHA-1 in the Firefox browser.
    Like Chrome, this will be introduced in stages.
    Starting with Firefox 35, it is planned to add a warning output to the Web console (Menu -> Development -> Web Console) in the Security category. It will be implemented in the next few weeks, and will appear in versions of Firefox closer to the beginning of 2015.
    Graphical indicators are planned to be added even later. For certificates whose validity period expires after January 1, 2016 (inclusive) for certificates with SHA-1, the status "Untrusted connection" will be displayed. And from January 1, 2017, when SHA-1 is detected, only this status will be displayed for all sites.



    Certificates signed with SHA-1 valid after January 1, 2017 will be rejected starting January 1, 2017.

    Microsoft
    Regarding the refusal to support Internet Explorer certificate connections signed using the SHA-1 algorithm , information appeared in employee technical blogsback in November 2013. From then on, Microsoft made policy changes to certificates created using the SHA-1 hash algorithm and to certificate authorities themselves. This applies to versions of Windows starting with Windows Vista and Windows Server 2008.
    According to the changes, certification authorities should stop issuing SSL certificates or sign them with the SHA-1 algorithm from January 1, 2016.
    Windows will stop accepting SSL certificates from January 1, 2017, implying that by this time SHA-1 will be replaced by SHA-2.
    Certificates signed by SHA-1 will not be accepted starting January 1, 2016, and those issued after January 1, 2016 will have the status of untrusted.
    For Windows users themselves, no additional steps are required.

    You can test your browser at this address: https://ssltest39.ssl.symclab.com/

    Also popular now: