Chrome Version 42 Starts Marking SHA-1 SSL Certificates As Insecure

Tired of the privacy invasion of the Chrome webbrowser? Worried about the risk of seeing ads everywhere? Give the Brave Browser a try. It supports all the same Chrome extensions, with none of the telemetry. It auto-blocks ads and helps support content creators like me.

Give the Brave browser a try »

Profile image of Mattias Geniar

Mattias Geniar, April 07, 2015

Follow me on Twitter as @mattiasgeniar

As announced in September 2014, Chrome version 42 will start to block mark SSL connections using the SHA-1 algorithm as insecure, with a big red cross in the browser.

Update #1: this article originally mentioned Chrome blocking SHA-1 certificates. Chrome will mark them as insecure, but won’t actively block the connection. More in the post below.

Update #2: Chrome 42 is now the default and is auto-updated on all clients. SHA-1 certificates are now marked as insecure. (Chrome Release Blog: the Stable channel has been updated to 42.0.2311.87)

Chrome v42 is now publicly released. The browser now starts marking SSL certificates that still use the SHA-1 algorithm as insecure with a big red cross.

What is valid on Chrome 41, isn’t on Chrome 42. The xkcd.com site is a prime example. Here’s the site on Chrome 41.

xkcd_sha1_chrome

That same site is showing SSL certificate errors on Chrome 42.

xkcd_sha1_chrome_blocked

If you haven’t already, check your certificates. If they’re still using the SHA-1 algorithm, ask your SSL provider for a re-issue (hopefully free of charge) using a SHA-256. There are some additional rules on when SHA-1 certs are blocked shown as insecure, and when they aren’t, depending on the expiration date.

The tl;dr: only SHA-1 certificates with a validation date > 2015 are reported as insecure.

The problem is, it’s not only your certificate that needs to stop using SHA-1. Every intermediate needs to be updated as well. In the case of XKCD’s site, their certificate was correctly using a SHA-256 algoritme, but their intermediate isn’t.

xkcd_sha265_certificate

xkcd_rapidssl_intermediate_sha1

Better check your certificate chains!

As I’ve said before, the chain of trust is only as strong as its weakest link.



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.