Google Says SHA-1 Encryption Not Secure, Will Drop Support in Chrome


Google will soon drop support for the SHA-1 cryptographic hash algorithm in Chrome. The Mountain View-based company has said that it would start to ditch the outdated encryption technology from January 1, 2016, and completely pull support by January 1, 2017.

The company wrote in a blog post that it doesn’t consider SHA-1 secure any more, and starting January 1, 2016, Chrome 48 will display a certificate error to any certificate that is signed with an SHA-1 based signature, or is issued on or after January 1, 2016. The company will completely stop supporting SHA-1 certificates by January 1, 2017.

“Google Chrome does not treat SHA-1 certificates as secure any more, and will completely stop supporting them over the next year,” the company wrote in a blog post. “Chrome will discontinue support in two steps: first, blocking new SHA-1 certificates; and second, blocking all SHA-1 certificates.”

Google isn’t the only browser provider that is taking a strong stand against SHA-1. Microsoft andMozilla have announced that they would drop support for the outdated encryption technology from their respective Web browsers on January 1, 2017.

Web browsers as well as websites protect the data exchange and communications by encrypting traffic using a hash function. This traffic carries a unique fingerprint which gets digitally signed ensuring that the data hasn’t been altered when it passed through various servers. The SHA-1 encryption technology has been around since 1995 and is widely used. As per an estimate from last year, around 90 percent of websites used SHA-1 encryption. Over the years, SHA-1 has become one of the weakest links from the security standpoint, and has been the reason for several security attacks.

In 2011, Baseline Requirements for SSL identified weaknesses in SHA-1 and recommended certificate authorities to transition away from SHA-1 based signatures by early January, 2016. Google hopes that all CAs will stop issuing SHA-1 certificates in 2016.