Mozilla is showing its support for SHA-1 deprecation (initially proposed by Microsoft and recently in the news due to Google's upcoming changes to Chrome) by implementing security warnings on sites that use SHA-1 SSL Certificates. They announced the upcoming changes they'll be making earlier this week, stating, "...there are still many Web sites that are using SSL certificates with SHA-1 based signatures, so we agree with the positions of Microsoft and Google that SHA-1 certificates should not be issued after January 1, 2016, or trusted after January 1, 2017."
What's the timeline and what will the changes look like?
According to Mozilla's blog, their first course of action will be to add security warnings to their Web Console to remind developers that they shouldn't be using SHA-1 certificates. They plan to add more prominent warnings for any certificates that are set to expire after January 1, 2017, the date initially set by Microsoft to stop trusting all SHA-1 certificates. The changes to the Web Console are set to appear in released versions of Firefox in early 2015.
In terms of browser UI changes, here's what we know so far:
- January 1, 2016 - any SHA-1 certificates issued after this date will trigger an "Untrusted Connection" error
- January 1, 2017 - ALL SHA-1 certificates will trigger an "Untrusted Connection" error
Example "Untrusted Connection" message, courtesy Mozilla
In the announcement, Mozilla states, "We may implement additional UI indicators later," so there may be more changes to come. We'll be keeping an eye out for more announcements and will provide updates as more details are released.
Is your website ready?
You can check if your website is currently using a SHA-1 certificate at https://sslcheck.globalsign.com/en_US.
If you have SHA-1 SSL Certificates that expire later than 12/31/2016, you need to take action so you will not be affected by Mozilla's browser UI changes:
- Reissue your certificate to SHA-256. This will ensure your website is compliant when the new versions of Chrome and Firefox are released. GlobalSign lets you upgrade your certificate to SHA-256 at no extra cost.
- If your applications do not support SHA-256, we strongly recommend you upgrade them as soon as possible. You can find more compatibility information here.
Check your certificates today to make sure you aren't using any that will trigger scary security warnings for your visitors. If you have questions about compatibility, how to reissue, or anything else, please don't hesitate to contact us. We're happy to help!