What is happening, and what was
happening?
The SSL
Industry and the CA/B Forum have planned for the "sunsetting"
(depreciation) of the SHA-1 signing algorithm for quite some time. However,
their plan was mainly formed around Microsoft's desires to phase it out in
2017, alongside the end-of-life for Windows XP. This was widely understood to
be the approved plan for CAs to follow, and the preparation for moving from
SHA-1 to its successor, SHA-2, wouldn't be necessary for many months from now.
However,
Google recently made an announcement, in stark contrast to Microsoft's plan,
that they are implementing their own SHA-1 sunsetting timeline, which will
begin on September 26th 2014.
This
timeline has three distinct stages, which will result in degraded visual
indicators in Google Chrome (padlock, green-bar) for SHA-1 signed certificates
meeting specific criteria (this is discussed in the section "What
certificates are affected?" below).
This means
it is now necessary to educate and assist our partners and customers on how to
make the transition away from SHA-1.
Why?
First, let's
understand what SHA-1 does. Both SHA-1 and its successor, SHA-2, are specific
types of signing algorithms. Signing algorithms are used as part of the
identity validation role that SSL certificates perform. They are mathematical
functions (referred to as a "hash") which, when performed, should
calculate a persistent and unique value for each file. So, for instance, the
Word doc this text is stored in has a unique SHA-1 hash value. If I change a
single part of this file – add an extra period somewhere, change a letter, etc.
– it will produce a different SHA-1 hash value.
When a
certificate is downloaded from a server to the client's browser, a hash is
taken of it. The type of hash taken (SHA-1, SHA-2, MD5, etc.) depends on how
the certificate is signed. The hash calculated by the browser is compared to
the hash value provided by the server, which has been verified by the
Certificate Authority (CA) at the time of issuance. If they match, the identity
of the certificate and server are verified.
When is this happening?
Google's
policy involves three distinct steps, the first beginning on September 26th. On
this date, only customers with SHA-1 signed certificates expiring in 2017 are
affected. However, the amount of affected certificates will expand in November,
and again in Q1 2015. The full details on what certificates are affected is in
the below section, "The Nitty Gritty."
What certificates are affected?