It’s been a long time coming, but in the next version of Google’s Chrome, HTTPS websites with an SHA-1 certificate will be clearly marked as unsafe with a red cross in the URL bar.

 

What does this mean exactly?

Google announced the change a while ago , but come the next version of Chrome, it’s going into effect. Websites that still use an SSL certificate with the SHA-1 encryption algorithm will be clearly marked as unsafe.

The website will still load however. The user doesn’t have to click through the typical “Your connection is not private. Are you sure you want to continue?” screen. So there’s no “obstacle” when approaching the site.

But the URL bar will no longer show the trusted green HTTPs icon. Instead it shows a very clear red cross to indicate that this connection is actually unsafe.

Why is SHA-1 unsafe?

Some time ago it was discovered that the encryption of the SHA-1 algorithm is no longer resistant to the amount of computing power found in current computers. That’s why for some time now the SHA-256 algorithm has been used to publish new SSL certificates.

All Nucleus certificates in recent years have been published with the SHA-256 algorithm.

What does the unsafe-notification look like?

We can take a peak on a website that’s well known amongst geeks: XKCD.

In the current Chrome version, 41, the website loads perfectly. However, the green text on the HTTPS icon disappeared some time ago, to indicate that this adjustment was coming.

xkcd_sha1_chrome

If we visit the website in the latest Chrome Beta or Chrome Canary version, that respectively contain version 42 and 44 of the Chrome browser, we already get a different notification.

xkcd_sha1_chrome_blocked

The website still loads, but it does make it clear that this is an unsafe connection, even though the SSL certificate is valid. The notification is only shown for SHA-1 certificates with an ultimate expiration date of 2016 or later. Certificates that expire before 2016 don’t get this notification.

The entire chain matters

SSL certificates are built on a whole chain of trust, from Root Certificates to Intermediates to the final Domain or Organization SSL certificate. In the case of the XKCD website the Domain Certificate is fine, but the intermediate isn’t.

xkcd_sha265_certificate

The ordered SSL certificate had the correct SHA-256 algorithm, but the intermediate unfortunately didn’t. That’s why Chrome marks it as unsafe.

xkcd_rapidssl_intermediate_sha1

What does Nucleus do?

Of course we haven’t been sitting around twiddling our thumbs. At one time we did publish SSL certificates with the SHA-1 algorithm, because that had the best browser support and was “OK” to do back then. But the times have changed, especially in the security world.

All customers that still have an SHA-1 certificate that was ordered through us, will be contacted by us to replace their certificate.

Need help?

Are you unsure whether or not your SSL connection will still work with the next version of Google Chrome? Don’t hesitate to contact us, our support team will gladly help you.

Related posts
Nucleus - Laravel

What is the best way to host Laravel?

What is the best way to host Laravel? By combining Laravel, Forge and user-friendly deployments with managed hosting. Find out why!

Read more

Spectre en Meltdown

What impact do Spectre and Meltdown really have?

What impact do Spectre and Meltdown really have? Was this one of the most dangerous leaks? And how about loss of performance?

Read more

Blog Uptime

How do I improve my uptime: a step-by-step plan

Uptime has become crucial in our “always on, always connected” society. I already wrote about the impact of downtime in an earlier blog post. But per permanent uptime, which is considered a given by end users, can have a serious impact on a company.

Read more