Google's plan for Chrome worries certificate authority vendors

Certificate Authority Security Forum says 'deprecation' of SHA-1 algorithm risks chaos during shopping season.

Google intends to make changes in its Chrome browser later this year that would have Chrome display a warning on websites using certificates based on the secure hash algorithm, SHA-1. Google wants to do this to get websites migrating to the stronger SHA-2 algorithm for certificates, which is not as easy to break through raw computing power.

Certificate authority vendors are calling Google's plan overly aggressive in its timeframe, and say it's likely to cause mass confusion right as the holiday shopping season commences.

Google's Chrome browser is expected to be changed in the November timeframe so that users will find that when they visit websites that use SHA-1-based certificates, the browser will give them a warning that could surprise them, says Dean Coclin, senior director of business development at Symantec. Coclin is active in two industry groups, the Certificate Authority Browser Forum and the CA  Security Forum, which are  carefully monitoring Google's plan.

The surprise would be that an updated version of Chrome, when used to reach a website with a SHA-1 certificate, will give the user a "Secure, but minor errors" icon in the form of a lock with a yellow triangle. That is the same icon shown when Chrome detects insecure content in a page but decides to load it anyway.

Ryan Sleevi, senior software engineer at Google, revealed the plan Aug. 20 in a Google online developer forum and it has led to some uproar over the past month.  The CA Security Council, which includes the seven largest certificate authorities, expressed its concerns in a statement shortly thereafter.

"Considering many users may still use software lacking SHA-2 support, primarily Windows XP SP2, and the still unknown impact on a complete SHA-1 migration, this 12 week timeframe is aggressive," the group said. "In addition, many devices still lack SHA-2 support, making necessary possibly unplanned and expensive upgrades. With fall shopping season nearly here, this policy may be particularly concerning for small Internet stores, which could be impacted just before the holiday rush."  The Council is urging "all website operators to accelerate their SHA-2 deployment where possible."

Google is hardly alone in its desire to see SHA-1 phased out, as the weakness of the SHA-1 algorithm has long been widely recognized.

Jeremy Rowley, vice president of business development at DigiCert, also on the CA Security Forum steering committee, said it's known that massive amounts of computing power could break SHA-1, though it's currently not thought to be practical for most attackers. It's assumed that some organizations, such as spy agencies with a lot of computing resources, probably can do this however. Breaking the SHA-1 hash brings the danger it could be replaced with another, compromising message integrity.

The certificate-authority industry has generally backed the timeline to migrate to SHA-2 announced by Microsoft last year, which calls for deprecation of SHA-1 in code signing certificates by Jan. 1, 2016 and in SSL certificates by Jan. 1, 2017. The certificate authorities would prefer that Google stick with the timeframe set by Microsoft to avoid confusion to website operators and web users.

"Users are thrown into this confusing game with confusing dates," says Rowley.  But despite pleas to Google to slow down what's seen as an accelerated timeframe, "they're ignoring us," he says.

In the online forum, Sleevi thanks those who "participated in these spirited discussions, shared data and experience," and the SHA-1 plans he outlines mention "a rough timeline of changes."

Sleevi also noted that Google plans to "monitor user feedback (both manual and automated), feedback from affected vendors, ISVs, and enterprises, feedback from site operators, trends in the overall TLS ecosystem and considerations from CAs with these dates, but these represent real and achievable goals for an effort that began nearly a year ago in force, nearly 3 years ago in spirit, and 9 years after practical weaknesses were demonstrated."

Join the CSO newsletter!

Error: Please check your email address.

Tags forumGooglesymantecsecuritychrome

More about GoogleMicrosoftSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts