It’s been a long time coming, but in the next version of Google’s Chrome, HTTPS websites with an SHA-1 certificate will be clearly marked as unsafe with a red cross in the URL bar.

 

What does this mean exactly?

Google announced the change a while ago , but come the next version of Chrome, it’s going into effect. Websites that still use an SSL certificate with the SHA-1 encryption algorithm will be clearly marked as unsafe.

The website will still load however. The user doesn’t have to click through the typical “Your connection is not private. Are you sure you want to continue?” screen. So there’s no “obstacle” when approaching the site.

But the URL bar will no longer show the trusted green HTTPs icon. Instead it shows a very clear red cross to indicate that this connection is actually unsafe.

Why is SHA-1 unsafe?

Some time ago it was discovered that the encryption of the SHA-1 algorithm is no longer resistant to the amount of computing power found in current computers. That’s why for some time now the SHA-256 algorithm has been used to publish new SSL certificates.

All Nucleus certificates in recent years have been published with the SHA-256 algorithm.

What does the unsafe-notification look like?

We can take a peak on a website that’s well known amongst geeks: XKCD.

In the current Chrome version, 41, the website loads perfectly. However, the green text on the HTTPS icon disappeared some time ago, to indicate that this adjustment was coming.

xkcd_sha1_chrome

If we visit the website in the latest Chrome Beta or Chrome Canary version, that respectively contain version 42 and 44 of the Chrome browser, we already get a different notification.

xkcd_sha1_chrome_blocked

The website still loads, but it does make it clear that this is an unsafe connection, even though the SSL certificate is valid. The notification is only shown for SHA-1 certificates with an ultimate expiration date of 2016 or later. Certificates that expire before 2016 don’t get this notification.

The entire chain matters

SSL certificates are built on a whole chain of trust, from Root Certificates to Intermediates to the final Domain or Organization SSL certificate. In the case of the XKCD website the Domain Certificate is fine, but the intermediate isn’t.

xkcd_sha265_certificate

The ordered SSL certificate had the correct SHA-256 algorithm, but the intermediate unfortunately didn’t. That’s why Chrome marks it as unsafe.

xkcd_rapidssl_intermediate_sha1

What does Nucleus do?

Of course we haven’t been sitting around twiddling our thumbs. At one time we did publish SSL certificates with the SHA-1 algorithm, because that had the best browser support and was “OK” to do back then. But the times have changed, especially in the security world.

All customers that still have an SHA-1 certificate that was ordered through us, will be contacted by us to replace their certificate.

Need help?

Are you unsure whether or not your SSL connection will still work with the next version of Google Chrome? Don’t hesitate to contact us, our support team will gladly help you.

Related posts
Nucleus - Varnish e-book

What is Varnish? And does it really make your website 100x faster?

Varnish is a web accelerator, a technical tool that can make your website quite a bit faster. That is of course what everyone wants, […]

Read more

GDPR

GDPR: What do you have to know as a Nucleus customer?

GDPR, the new European regulation about privacy will be in effect starting May 25th 2018. But what does this new European law mean for […]

Read more

Uptime-as-a-Service

8 reasons why an ever increasing number of customers choose Uptime-as-a-Service

We strongly believe that Uptime-as-a-Service is the future of hosting. An ever-growing number of customers join us in that belief. KMDA, the umbrella organization of the Antwerp Zoo and Planckendael, and Antum, a start-up from Mechelen, recently testified about their choice for Uptime-as-a-Service.

Read more