If you’re using Chrome, and in all likelihood you are, given that nearly half of global users are on Google’s browser, you may have noticed a security warning. Should you be worried?
This time last year, unbeknownst to many, Google wrote a post on its Security Blog outlining a timeframe to move away from supporting SHA-1 (Secure Hash Algorithm 1). The post was published on September 5th, 2014 and gave specific dates that the Google Chrome browser would change how it supports SSL certificates signed with SHA-1 signatures beyond those dates. Ultimately the plan is to phase out SHA-1 for SHA-2. Since then, Google has stuck to its plan and has started showing warnings for certain SSL connections in certain conditions.
SHA-1: Coming to an End Near You
SSL, the Secure Socket Layer, is a protocol that forms secure connections through your web browser with a website. When you see https:// instead of http://, you are using an SSL connection to that website. A secure handshake happens between your computer and a site’s web server that uses an encrypted key pair. There are some special encryption processes that happen when creating the original certificates for the websites that use a hashing algorithm to obscure the key values. The algorithm used by your Certificate Authority and the date your certificate was signed by that CA determines if you receive a warning in Chrome or not. By 2017, Microsoft, Mozilla, and Google all plan to stop accepting SHA-1 certificates on their browsers.
The main issue is that the SHA-1 hashing algorithm used to secure most of the SSL certificates in the world has officially been deprecated since 2011. This is when the CA/Browser Forum published the Baseline requirements for SSL. This set of documents has since been updated, stands as the authority on SSL recommended best practices, and sets in motion industry standards. One of the standards described in 2011 was a move away from SHA-1 as soon as possible. Google took this as a cue to start the ball rolling by forcing its Google Chrome browser to show a warning for SSL connections being secured by SHA-1 certificates anywhere in the issued certificate chain. In some cases, this warning can be caused by something as simple as displaying an image loaded from an insecure URL on a secure page, but there are other warnings to look out for these days.
Cache Bug Discovered
The impending threat of insecure warnings from one of the most used browsers in the world forced certificate authorities like Network Solutions, Godaddy, Namecheap, and others to re-issue customer certificates using the SHA-2 algorithm. The issue during this transition was that some CAs thought they could just re-issue the customer’s certificate without re-issuing their Root Certificates or Intermediate Certificates. This caused a bug that we encountered recently where Chrome caches the old SHA-1 certificate chain displaying a false warning. Luckily there are some nice tools available to verify that an SSL server is running SHA-2 and that all the way up the chain the certificates are secured with the SHA-2 hashing algorithm.
SSL Secured=Better SEO
We secure all of our internal websites with SSL and suggest it for all of our clients at this point, as Google has even started using SSL secured sites as a signal of trust in its search algorithms. The process to migrate all of our internal properties and client properties from SHA-1 to SHA-2 was much easier with the following tools:
Browser Security Timeline
Specific dates to be aware of:
September 2014 (Chrome 39)
- Sites with end-entity (“leaf”) certificates that expire on or after 1 January 2017, and that include a SHA-1-based signature as part of the certificate chain, will be treated as “secure, but with minor errors.”
- The current visual display for “secure, but with minor errors” is a lock with a yellow triangle, and is used to highlight other deprecated and insecure practices, such as passive mixed content.
December 2014 (Chrome 40)
- Sites with end-entity certificates that expire between 1 June 2016 to 31 December 2016 (inclusive), and include a SHA-1-based signature as part of the certificate chain, will be treated as “secure, but with minor errors.”
- Sites with end-entity certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as “neutral, lacking security.”
March 2015 (Chrome 41)
- Sites with end-entity certificates that expire between 1 January 2016 and 31 December 2016 (inclusive), and which include a SHA-1-based signature as part of the certificate chain, will be treated as “secure, but with minor errors.”
- Sites with end-entity certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as “affirmatively insecure.” Subresources from such domains will be treated as “active mixed content.”
- The current visual display for “affirmatively insecure” is a lock with a red X, and a red strike-through text treatment in the URL scheme.
Security Over Here
Zivtech has secured all of its internal sites and client sites with SHA-2 certificates at this point and Chrome is no longer showing these warnings. If you are still seeing these warnings for your website, you should update your SSL certificate with your issuing Certificate Authority as soon as possible. If you are seeing these warnings on websites that you login to or shop on regularly, you should contact them and let them know what you have learned about how they are using a weak encryption algorithm and how to fix it. Now you can make better decisions about sites showing a warning. Be careful out there!