Opened 10 years ago
Closed 10 years ago
#400 closed defect (fixed)
SHA-1 certificates from mitcert since 2013 will be degraded by Chrome
Reported by: | andersk | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | web | Keywords: | |
Cc: |
Description
davidben points out that Chrome will be degrading SHA-1 certificates valid past 2016-01-01:
The following changes to Chromium's handling of SHA-1 are proposed:
- All SHA-1-using certificates that are valid AFTER 2017/1/1 are treated insecure, but without an interstitial. That is, they will receive a degraded UI indicator, but users will NOT be directed to click through an error page.
- Additionally, the mixed content blocker will be taught to treat these as mixed content, which WILL require a user action to interact with.
- All SHA-1-using certificates that are valid AFTER 2016/1/1 are treated as insecure, but without an interstitial. They will receive a degraded UI indicator, but will NOT be treated as mixed content.
This seems to include all certificates that mitcert/InCommon has issued (and continues to issue!) since 2013-01-01, since they have a three year expiration date.
So we’re going to need to replace all these certificates soon. This might also be a good excuse to move to a 2048-bit private key (because a 4096-bit certificate signed by 2048-bit CAs provides no security benefit and is noticeably slower).
Change History (3)
comment:1 Changed 10 years ago by andersk
comment:2 Changed 10 years ago by andersk
An InCommon representative told us:
We're currently reviewing a draft SHA-2 profile from Comodo, and given that all parties would like to bring it live ASAP, I'm still of the belief that you'll be seeing SHA-2 as an option by this fall.
comment:3 Changed 10 years ago by geofft
- Resolution set to fixed
- Status changed from new to closed
Most of this was done a while back (I believe achernya sent out a ton of renewals to InCommon). We now have one current SHA-1 cert, expiring 7 August 2015, which puts it out-of-scope for Chrome's UI changes.
We've also updated all of our certificates (other than that one) to the 2048-bit key.
More details on Google’s timeline and UI indicators.