After some pushback from the industry, Google has revised its timetable for deprecating support of SHA-1 crypto hash for issuing TLS/SSL digital certificates, but the new schedule still may be too aggressive and nearly impossible for many web operators to meet.
Noting for quite some time that SHA-1 no longer offers an acceptable level of security, Google has made it clear would compel users to update their security certificates, moving from SHA-1 to SHA-2 over the next two to three years. And Microsoft, too, said last fall it would start withdrawing its support from SHA-1 on January 1, 2016, with the transition complete by January 1, 2017.
But the Google's late August announcement that Chrome 39, due to be released within the next 12 weeks, will treat some sites as untrusted and that notifications would began appearing when users accessed those sites, took even advocates by surprise.
The accelerated schedule raised concerns that potentially hundreds of thousands of web operators may not be able to comply in the proposed timeframe and that users would find the notifications both confusing and alarming.
“It took everyone by surprise,” CA Security Council's (CASC) Jeremy Rowley, associate general counsel at DigiCert, Inc., told SCMagazine.com in a Wednesday interview.
While the CASC applauds Google's “endeavor” to strengthen browser security and supports the transition to SHA-2, he explained that a lot of companies are using SHA-1, particularly in China and the first notifications in Google's proposed schedule would hit during the holiday season, when companies can't have any interruptions. Even the adjusted deprecation schedule offers only a little wiggle room.
“It's a nice gesture,” said Rowley, but “accelerating a whole year really messes up the sales cycle.”
The number of organizations and users that the change will impact is currently unknown.
“Maybe Google has numbers on how many people it will impact but they haven't shared yet,” Rowley said. “We know a lot of people using SHA-1. Getting [SHA-2] installed on their systems in the next two months” before the warnings start popping up, might prove impossible.