Moment of truth: Web browsers and the SHA-1 switch

The long-awaited SHA-1 deprecation deadline of Jan. 1, 2017, is almost here. At that point, we’ll all be expected to use SHA-2 instead. So the question is: What is your browser going to do when it encounters a SHA-1 signed digital certificate?

We’ll delve into the answers in a minute. But first, let’s review what the move from SHA-1 to SHA-2 is all about.

Getting from SHA-1 to SHA-2

SHA-1 is a cryptographic hash officially recommended by NIST. It’s used to verify digital content, as well as digital certificates and certificate revocation lists (CRLs). Whenever a PKI certification authority (CA) issues a certificate or CRL, it signs it with a hash to assist “consuming” applications and devices with trust verification. 

In January 2011, SHA-2 became the new, recommended, stronger hashing standard. SHA-2 is often called “the SHA-2 family of hashes” because it contains hashes of many different lengths, including 224-bit, 256-bit, 384-bit, and 512-bit digests. The most popular one is 256 bits by a large margin.

Who declared Jan. 1, 2017 the drop-dead date for SHA-1? Three of the top browser vendors and dozens of other software vendors. They belong to a vendor consortium called the CA Browser Forum, which publishes requirements for public CAs in its frequently updated Baseline Requirements document.

The CA Browser forum’s SHA-1 deprecation requirements apply to all but two types of certificates (covered below), although some browser vendors care only about web server certificates. Per the CA Browser forum, no public CA is allowed to issue SHA-1-signed certificates after Jan. 1, 2016, for certificates that expire after Dec. 31, 2016, although in some browsers, any SHA-1 certificate expiring after Dec. 31, 2017, is flagged, regardless of when it was issued.

The CA Browser Forum specifically excludes root CA server certificates and cross CA certificates from the SHA-1 deprecation requirements. This means you do not have to worry about your root CA’s certificate, although you probably need to worry about how it signs subordinate CA certificates and CRLs.

Your browser’s reaction

Some major browser vendors have been issuing warnings and error messages for two years. Today, some browsers put an X through the HTTPS indicator (Google Chrome), don’t display the lock icon (Microsoft Edge and Internet Explorer), or simply remove the HTTPS portion of the URL (Apple Safari).

Some browsers, such as Firefox, don’t show any indication when consuming an SHA-1 certificate; others may or may not depending on whether you’re using a PC or mobile version of the browser. In some cases, the protection given by the SHA-1 TLS certificate is still active even though the browser appears to indicate that it is not (for example, Chrome, Edge, or Internet Explorer).

SHA-1 deprecation in the major browsers

Certificate types and deprecation evaluation

What certificate types will be evaluated for SHA-1 deprecation? It depends on the browser. 

The CA Browser forum says all certificates will be evaluated except for root CA server and cross-CA certificates. But I have seen browsers that popped up an error message on SHA-1 root CA certificates when they were acting as an “intermediate” root CA in a three- or four-tier PKI hierarchy and on cross-CA certificates.

Microsoft will only evaluate certificates that originate from a PKI chain registered in the Microsoft Trusted Root program. Certificates originating from a PKI chain registered in the Microsoft Trusted Root program will be evaluated only if they contain the Server Authentication OID. This is an important point because some TLS certificates may contain the Client Authentication or Workstation Authentication OIDs only. (See Microsoft’s SHA-1 deprecation policy.)

Other browser vendors say they will inspect “all” certificates for SHA-1 deprecation, but in practice this always excludes the root CA server certificates and may technically mean only web server or Server Authentication OID certificates. I’ve had a hard time nailing down browser vendors on exactly which certificates they will include in deprecation-checking. Mozilla did confirm it also checks for the deprecated Netscape Step-Up OID.

Mozilla Firefox, Google Chrome, and Opera browsers will check both public and private certificates by default, although you can manually register private PKI chains (sometimes called enterprise chains) to be excluded from SHA-1 deprecation checking. You can find Mozilla’s latest SHA-1 deprecation statement here; Google’s can be found here.

As of Jan. 1, 2017, “full” SHA-1 deprecation enforcement is supposed to happen, although Microsoft will actually begin full enforcement on Feb. 14, 2017 (the second Patch Tuesday of the year). Mozilla says it will begin full enforcement in January 2017, with no specific date, whereas Google (and Opera) will begin full enforcement by the end of January 2017.

All browsers will eventually evaluate all certificates, public or private, with no exceptions allowed, although this is will probably be many years out. Expect any new improvement in SHA-1 cracking to speed up timelines and incur policy updates.