Security Blog
The latest news and insights from Google on security and safety on the Internet
SHA-1 Certificates in Chrome
16 листопада 2016 р.
Posted by Andrew Whalley, Chrome Security
We’ve previously made
several
announcements
about Google Chrome's deprecation plans for SHA-1 certificates. This post provides an update on the final removal of support.
The SHA-1 cryptographic hash algorithm first
showed signs of weakness
over eleven years ago and
recent research
points to the imminent possibility of attacks that could directly impact the integrity of the Web PKI. To protect users from such attacks, Chrome will stop trusting certificates that use the SHA-1 algorithm, and visiting a site using such a certificate will result in an interstitial warning.
Release schedule
We are planning to remove support for SHA-1 certificates in Chrome 56, which will be released to the stable channel
around the end of January 2017
. The removal will follow the
Chrome release process
, moving from Dev to Beta to Stable; there won't be a date-based change in behaviour.
Website operators are urged
to check
for the use of SHA-1 certificates and immediately contact their CA for a SHA-256 based replacement if any are found.
SHA-1 use in private PKIs
Previous posts made a distinction between certificates which chain to a public CA and those which chain to a locally installed trust anchor, such as those of a private PKI within an enterprise. We recognise there might be rare cases where an enterprise wishes to make their own risk management decision to continue using SHA-1 certificates.
Starting with
Chrome 54
we provide the
EnableSha1ForLocalAnchors
policy
that allows certificates which chain to a locally installed trust anchor to be used after support has otherwise been removed from Chrome. Features which
require a secure origin
, such as geolocation, will continue to work, however pages will be displayed as “neutral, lacking security”. Without this policy set, SHA-1 certificates that chain to locally installed roots will not be trusted starting with Chrome 57, which will be released to the stable channel in March 2017. Note that even without the policy set, SHA-1 client certificates will still be presented to websites requesting client authentication.
Since this policy is intended only to allow additional time to complete the migration away from SHA-1, it will eventually be removed in the first Chrome release after January 1st 2019.
As Chrome makes use of certificate validation libraries provided by the host OS when possible, this option will have no effect if the underlying cryptographic library disables support for SHA-1 certificates; at that point, they will be unconditionally blocked. We may also remove support before 2019 if there is a serious cryptographic break of SHA-1. Enterprises are encouraged to make every effort to stop using SHA-1 certificates as soon as possible and to consult with their security team before enabling the policy.
Немає коментарів :
Дописати коментар
Мітки
#sharethemicincyber
#supplychain #security #opensource
AI Security
android
android security
android tr
app security
big data
biometrics
blackhat
C++
chrome
chrome enterprise
chrome security
connected devices
CTF
diversity
encryption
federated learning
fuzzing
Gboard
google play
google play protect
hacking
interoperability
iot security
kubernetes
linux kernel
memory safety
Open Source
pha family highlights
pixel
privacy
private compute core
Rowhammer
rust
Security
security rewards program
sigstore
spyware
supply chain
targeted spyware
tensor
Titan M2
VDP
vulnerabilities
workshop
Archive
2025
черв.
трав.
квіт.
бер.
лют.
січ.
2024
груд.
лист.
жовт.
вер.
серп.
лип.
черв.
трав.
квіт.
бер.
лют.
січ.
2023
груд.
лист.
жовт.
вер.
серп.
лип.
черв.
трав.
квіт.
бер.
лют.
січ.
2022
груд.
лист.
жовт.
вер.
серп.
лип.
черв.
трав.
квіт.
бер.
лют.
січ.
2021
груд.
лист.
жовт.
вер.
серп.
лип.
черв.
трав.
квіт.
бер.
лют.
січ.
2020
груд.
лист.
жовт.
вер.
серп.
лип.
черв.
трав.
квіт.
бер.
лют.
січ.
2019
груд.
лист.
жовт.
вер.
серп.
лип.
черв.
трав.
квіт.
бер.
лют.
січ.
2018
груд.
лист.
жовт.
вер.
серп.
лип.
черв.
трав.
квіт.
бер.
лют.
січ.
2017
груд.
лист.
жовт.
вер.
лип.
черв.
трав.
квіт.
бер.
лют.
січ.
2016
груд.
лист.
жовт.
вер.
серп.
лип.
черв.
трав.
квіт.
бер.
лют.
січ.
2015
груд.
лист.
жовт.
вер.
серп.
лип.
черв.
трав.
квіт.
бер.
лют.
січ.
2014
груд.
лист.
жовт.
вер.
серп.
лип.
черв.
квіт.
бер.
лют.
січ.
2013
груд.
лист.
жовт.
серп.
черв.
трав.
квіт.
бер.
лют.
січ.
2012
груд.
вер.
серп.
черв.
трав.
квіт.
бер.
лют.
січ.
2011
груд.
лист.
жовт.
вер.
серп.
лип.
черв.
трав.
квіт.
бер.
лют.
2010
лист.
жовт.
вер.
серп.
лип.
трав.
квіт.
бер.
2009
лист.
жовт.
серп.
лип.
черв.
бер.
2008
груд.
лист.
жовт.
серп.
лип.
трав.
лют.
2007
лист.
жовт.
вер.
лип.
черв.
трав.
Feed
Follow @google
Follow
Give us feedback in our
Product Forums
.
Follow
Немає коментарів :
Дописати коментар