Wednesday, November 23, 2016

Google Chrome Penalizes Websites Using SHA-1 SSL Certificates

Just recently, I was working with the Microsoft Dynamics GP 2016 web client and, as is customary, I run my tests on Google Chrome and Microsoft Internet Explorer and Edge browsers. When I brought up the web client website on Internet Explorer and Edge, nothing out of the ordinary seem to happen and effectively, the address bar is squeaky clean, as shown below:

Microsoft Edge address bar

Internet Explorer address bar

However, when you bring up the same site in Google Chrome, you are greeted with a site configuration warning and struck-out https prefix, as shown below

Chrome address bar

If you further click on the warning sign, you get additional information stating:

"This site uses a weak security configuration (SHA-1 signatures), so your connection may not be private."

The Details link is further more descriptive by opening the Chrome Security pane, where you get additional information stating the certificate expiration date is approaching soon and that the page is insecure.

So, I figured, an SSL certificate is an SSL certificate and SHA-1 is by far better than HTTP or no certificate at all (which is not supported by the web client). However, I started digging a bit more and, as it turned out, Google began phasing out support for SHA-1 certificates since version 42 of Chrome. The phase out has happened slowly. In version 42, users received a simple yellow warning triangle with a padlock to indicate the site used a weak SSL encryption, IF their certificate expired in 2016. If the certificate expires past 2016 -- like in the case of my certificate -- the user would receive a "broken https" indication.

However, at this point, it seems Google is not planning on blocking connection to sites with SHA-1 certificates, but this is not assurance that it won't happen. So what do you need to do? If you have third party certificates in place, you probably have already been contacted by your Certificate Authority company and they probably have issued you a SHA-256 certificate. If you are using Active Directory Certificate Store certificates, you can read up the Technet article on Implementing SHA-2 in Active Directory Certificate Services.

If you are using Self-Signed certificates, you may want to use these only in a development environment and forego their use in production.

If you are unsure of what type of encryption you are running, you can check your SLL certificates at:


Note that the Qualys test can only be run on port 443.

Until next post!

Mariano Gomez, MVP

No comments: