SHA-1 in 2017


An aggressive policy to remove SSL/TLS certificates signed with the SHA-1 hashing algorithm was announced in November 2013 by Microsoft. The SHA-1 hashing algorithm was considered weak to collision attacks, so the goal was to move to the stronger SHA-2 family of hashing algorithms.

The hash is a cryptographic representation of the certificate, which is used in certificate validation. It should be hard to have a hash collision where two certificates have the same hash. As SHA-1 is weak, the SSL/TLS industry now signs certificates mostly with the SHA-256 version.

SHA-1 Deprecation Program

The SHA-1 deprecation program required that certification authorities (CAs) stop signing with SHA-1 as of January 1, 2016. The goal would then have Windows stop trusting SHA-1 signed SSL/TLS certificates in 2017. Apple, Google and Mozilla all support the deprecation plan.

Many organisations urgently need to upgrade to SHA-2 SSL certificates in conjunction with the updated federal and PCI compliance standards currently in place as well as to meet Microsoft’s and Google’s SHA-1 deprecation polices as of January 2017.

Failure to migrate to SHA-2 in a timely manner will result in bowsers not displaying content properly and end-users receiving security warnings. This often causes users to abandon the website or transaction or call support services such as helpdesks or customer service. System outages if certificates are inappropriately replaced are also a possibility.  Also note that some subscribers have picked a certificate expiry date of December 31, 2016, so we anticipate a large move to SHA-2 in late December.

When will Browser Users be Impacted?

It is anticipated that all popular browser will show errors for SHA-1 signed SSL/TLS certificates in 2017:

  • Chrome: Google indicates Chrome 56 to be released at the end of January 2017 will remove trust for SHA-1 certificates from publicly trusted CAs. With Chrome 57, trust will be removed for SHA-1 certificates issued from private trust CAs. For private or local CAs, an enterprise can correct this error by implementing a change to enable SHA-1 for local anchors.
  • Firefox: Mozilla announced that with release 51 in January 2017, Firefox will show an Untrusted Connection error if a SHA-1 certificate chains to a root in the Mozilla CA certificate program that users can override.
  • Internet Explorer and Edge: Microsoft stated that on February 14, 2017 an update to Microsoft Edge and Internet Explorer 11 will be released to display an Invalid Certificate warning page alerting users that their connection is not secure. Although not recommended, browser users will have the option to continue to the website.
  • Safari: Apple has not stated a SHA-1 policy, but it is expected that browsers running on OS X or iOS will stop supporting SHA-1 signed certificates in 2017.

Certificate subscribers should keep moving to SHA-2 to ensure website visitors will not encounter browser error messages when using their website.

If you have yet to migrate to SHA-2, check out Entrust Datacard’s SHA-2 Migration Guide. It will help you plan and execute a successful SHA-2 migration to avoid extra costs, eliminate service disruptions and ensure compliance.

Contact MPA for further information or assistance with the SHA-1 migration.


Blog written by Bruce Morton- Director, Certificate Technology & Standards in SSL