At CloudFlare, we’re dedicated to ensuring sites are not only secure, but also available to the widest audience. In the coming months, both Google’s Chrome browser and Mozilla’s Firefox browser are changing their policy with respect to certain web site certificates. We are aware of these changes, and we have modified our SSL offerings to ensure customer sites continue to be secure and available to all visitors.
Chrome (and Firefox) and SHA-1
Google will be making changes to its Chrome browser in upcoming versions to change the way they treat certain web site certificates based on their digital signature. These changes affect over 80% of websites.
As described in our blog post on CFSSL, web site certificates are organized using a chain of trust. Digital signatures are the glue that connects the certificates in the chain. Each certificate is digitally signed by its issuer using a digital signature algorithm defined by the type of key and a cryptographic hash function (such as MD5, SHA-1, SHA-256).
Starting in Chrome 39 (to be released this month, November 2014), certificates signed with a SHA-1 signature algorithm will be considered less trusted than those signed with a more modern SHA-2 algorithm. This change will be reflected in the UI presented to web visitors.
By Chrome 41 (early 2015), any web site with a certificate that expires in 2016 or later will be shown as untrusted if either:
- The certificate is signed with a SHA-1 algorithm
- One of the certificates in its trust chain is signed with a SHA-1 algorithm (roots are exceptions)
This post on the Chromium Blog outlines the schedule of the rollout.
Web sites that want to remain trusted by Google Chrome need to either have a SHA-2 certificate or a SHA-1 certificate that expires before 2016. Otherwise, their site will appear to Chrome users with a warning like this:
Mozilla is also implementing a similar change in their Firefox browser in early 2015, marking SHA-1 certificates as untrusted if they expire in 2016 or later.
Chrome’s decision puts many website owners in a bind. Sites either have to re-issue their SHA-1 certificates with a shorter expiration period, or upgrade to SHA-2. The problem with upgrading is that not all web browsers support SHA-2 certificates. Notably, Windows XP SP2 does not support SHA-2 based certificates. Windows XP is still a popular operating system despite the fact that Microsoft no longer supports it. It is especially popular in China, the largest Internet market in the world. Sites that use a SHA-2 certificate are inaccessible to these web users over https.
GlobalSign has put together a comprehensive list of SHA-2 client support.
Sites that have tried to upgrade to SHA-2 have seen a backlash due to browser incompatibility. In July, mozilla.org upgraded their site to use a SHA-2 certificate. In doing so they lost around 145,000 Firefox downloads per week due to browser incompatibility. Even google.com (as of November 10, 2014) continues to use SHA-1 for compatibility reasons, despite the company’s push to deprecate SHA-1 in Chrome.
To support both Chrome and Windows XP SP2 it’s necessary to use a SHA-1 certificate that expires before 2016. This is the option we have chosen for CloudFlare-managed certificates.
Last week, we reissued all certificates for paid CloudFlare customers. The new certificates are signed with the SHA-1 signature algorithm and expire before 2016. This way all customers sites will be viewable by visitors on Windows XP SP2 and Chrome, just as they are today.
- All paid customers now get a CloudFlare-managed SHA-1 certificate that expires in late 2015.
- All free customers are given certificates through CloudFlare’s Universal SSL. They are SHA-2 by default.
For customers using CloudFlare’s certificates there is no action to be taken. Business and Enterprise customers with custom certificates who may be affected by the change have already been contacted with details and specific instructions.
The Future of HTTPS at CloudFlare
In 2015, we will roll out state-of-the-art SNI certificates to all paid customers and retain the SHA-1 certificates as a fallback. This means that any browser that supports the modern security features we introduced with Universal SSL (ECDSA, SHA-256 and SNI) will be presented with the modern certificate and old browsers (such as IE on Windows XP) will be presented with the current SHA-1 certificate. This ensures that all sites on the paid CloudFlare service are reachable by the largest audience possible, while providing state-of-the-art security for any browser that supports it.