It’s been a long time coming, but in the next version of Google’s Chrome, HTTPS websites with an SHA-1 certificate will be clearly marked as unsafe with a red cross in the URL bar.


What does this mean exactly?

Google announced the change a while ago , but come the next version of Chrome, it’s going into effect. Websites that still use an SSL certificate with the SHA-1 encryption algorithm will be clearly marked as unsafe.

The website will still load however. The user doesn’t have to click through the typical “Your connection is not private. Are you sure you want to continue?” screen. So there’s no “obstacle” when approaching the site.

But the URL bar will no longer show the trusted green HTTPs icon. Instead it shows a very clear red cross to indicate that this connection is actually unsafe.

Why is SHA-1 unsafe?

Some time ago it was discovered that the encryption of the SHA-1 algorithm is no longer resistant to the amount of computing power found in current computers. That’s why for some time now the SHA-256 algorithm has been used to publish new SSL certificates.

All Nucleus certificates in recent years have been published with the SHA-256 algorithm.

What does the unsafe-notification look like?

We can take a peak on a website that’s well known amongst geeks: XKCD.

In the current Chrome version, 41, the website loads perfectly. However, the green text on the HTTPS icon disappeared some time ago, to indicate that this adjustment was coming.


If we visit the website in the latest Chrome Beta or Chrome Canary version, that respectively contain version 42 and 44 of the Chrome browser, we already get a different notification.


The website still loads, but it does make it clear that this is an unsafe connection, even though the SSL certificate is valid. The notification is only shown for SHA-1 certificates with an ultimate expiration date of 2016 or later. Certificates that expire before 2016 don’t get this notification.

The entire chain matters

SSL certificates are built on a whole chain of trust, from Root Certificates to Intermediates to the final Domain or Organization SSL certificate. In the case of the XKCD website the Domain Certificate is fine, but the intermediate isn’t.


The ordered SSL certificate had the correct SHA-256 algorithm, but the intermediate unfortunately didn’t. That’s why Chrome marks it as unsafe.


What does Nucleus do?

Of course we haven’t been sitting around twiddling our thumbs. At one time we did publish SSL certificates with the SHA-1 algorithm, because that had the best browser support and was “OK” to do back then. But the times have changed, especially in the security world.

All customers that still have an SHA-1 certificate that was ordered through us, will be contacted by us to replace their certificate.

Need help?

Are you unsure whether or not your SSL connection will still work with the next version of Google Chrome? Don’t hesitate to contact us, our support team will gladly help you.

Related posts

Google Chrome will mark websites without HTTPS as not secure starting July 2018

Starting July 2018, the Google Chrome web browser will mark all websites that don’t use HTTPS, as not secure. In doing so, Google compels […]

Read more

IT Security

Why IT security is still unimportant…

Entrepreneurs often have too little attention for IT security. Limited budgets, limited knowledge, counting on third parties… excuses are plentiful when things go wrong […]

Read more


6 unexpected positive results of GDPR

GDPR will of course have a (heavy) impact on your company. But we have also identified a couple of unexpected positive results.

Read more