Google’s SHA-1 Deprecation Plan for Chrome
The latest news in the SSL and web browser industries is Google’s plans to deprecate SHA-1 in a unique way on upcoming releases of Chrome starting with version 39. Considerably different from Microsoft’s plans that were announced in November 2013, Google plans on placing visual marks or placing a block within the browser; all based on the version of the browser, date of use and certificate’s expiration date.
What we expect to see with future Chrome releases:
Chrome 39 (Beta release: 26 September 2014, tentative production release: November 2014):
- Any SHA-1 SSL certificate, on a page, that expires on or after 1 January 2017 will be treated as “secure, but with minor errors”. The lock within the address bar of the browser will have a yellow arrow over the lock.
Chrome 40 (Beta release: 7 November 2014, tentative production release: post-holiday season):
- Pages secured with a SHA-1 certificate expiring between 1 June 2016 and 31 December 2016 inclusive will experience the same treatment as described above.
- Additionally, pages secured with a SHA-1 certificate expiring after 1 January 2017 will be treated as “neutral, lacking security”. The lock in the address bar will be replaced by a blank page icon.
Chrome 41 (Q1-Q2 2015):
- Sites secured with a SHA-1 certificate with validity dates terminating between 1 January 2016 and 31 December 2016 inclusive will be treated as “Secure, but with minor errors.”
- Sites secured with a SHA-1 certificate expiring on or after 1 January 2017 will be treated as “affirmatively insecure”. The lock will have a red “X” over it with the letters “HTTPS” crossed out with a red font.
GlobeSSL offers free replacements for affected GlobeSSL SSL certificates. If your GlobeSSL certificates are affected you can replace them at no additional charge for a SHA-2 certificate from the following URL :https://confirm.globessl.com/cm.html