The number of HTTPS errors is about to go up as Google announced plans to remove support for SSL/TLS certificates signed with the SHA-1 cryptographic hash algorithm. Google plans to take this step with Chrome 56, scheduled for release at the end of January 2017.

Both Mozilla and Microsoft announced similar intentions, also for the start of 2017. Mozilla will remove support for SHA-1 certificates in Firefox 51, while Microsoft said that starting with February 2017, both Microsoft Edge and Internet Explorer will block SHA-1 signed TLS certificates.

SHA-1 deemed insecure

This race to phase out SHA-1 from HTTPS started last autumn, when a team of researchers demonstrated that it was much easier than anticipated to break SHA-1 encryption, which had already been deemed insecure starting with 2004, but many hoped to remain somewhat safe until 2020.

Their research, dubbed TheShappening, drove Mozilla, Microsoft, Google, and other browser vendors that are part of the CA/B Forum to put out an industry ban that prevented HTTPS providers, called Certificate Authorities, from issuing new SSL/TLS certificates signed with SHA-1.

Some Certificate Authorities, such as WoSign and StartCom, ignored this ban. As a result, both have been banned by Mozilla, Apple, and Google in their products.

CloudFlare, Facebook, and Twitter opposed this sudden change and proposed a different plan. They argued that older browsers and older operating systems could not handle SHA-2 certificates, and pleaded with browser vendors to allow SHA-1 as a fallback system for those devices. Unfortunately, the plan didn't go anywhere.

Warnings for insecure HTTPS sites are about to go up

It is currently unknown how many websites are still using SHA-1 today. In October 2015, when TheShappening report came out, Netcraft said that it had identified over one million SSL certificates in the wild that had been signed with SHA-1.

If these websites had failed to update their HTTPS support to SHA-2 and newer algorithms, browsers such as Chrome will show visible errors that might deter users from using the site and damage business reputation.

Certificate Authority Thawte has provided an informative summary regarding the current state of SHA-1 in modern browsers.

Webmasters are advised to reach out to their Certificate Authorities and inquire for certificates signed with SHA-2, if they haven't done so already.