Any website using a SHA-1-signed certificate issued after January 1, 2016, will be blocked as of an unspecified date in the early part of next year, according to a report from Tom’s Hardware. While the algorithm has been set for depreciation for some time, there’s been more impetus to do so in recent months.
A team comprising of Marc Stevens, Pierre Karpman, and Thomas Peyrin published research earlier this year that suggests a criminal entity could carry out an SHA-1 collision attack for around $100,000. With that kind of accessibility, Google and other organizations are thought to have sped up plans to discontinue support.
The Baseline Requirements for SSL have been updated to stipulate an end to any distribution of SHA-1 certificates in 2016, so it seems clear that the writing is on the wall for the algorithm. However, there seems to be little downside to Google being proactive in cleaning up any perceived threats to the quality of Internet access.
In recent months, Google has targeted security software firm Symantec, after doubt was cast over the way that the company was issuing its certificates. Earlier this month, Symantec made a request to Google that one of its legacy certificate be untrusted or removed.
At present, Firefox and Microsoft Edge are also expected to begin blocking SHA-1 certificates before the end of 2017. However, given that Google has chosen to accelerate the process, it wouldn’t be all that surprising to see others follow suit.
