Created
October 18, 2016 19:01
-
-
Save anonymous/63e5ecb1de2511985255a98bce7ce2fe to your computer and use it in GitHub Desktop.
SHA-1 TLS deprecation timeline
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Chrome 39 (released 2014-11-18): | |
Leaf certs expiring >= 2017-01-01 with SHA-1 sig in chain -> UI "secure, but with minor errors" [chrome-1] | |
Chrome 40 (released 2015-01-20): | |
Leaf certs expiring (2016-06-01 - 2016-12-31) with SHA-1 sig in chain -> UI "secure, but with minor errors"; | |
Leaf certs expiring >= 2017-01-01 with SHA-1 sign in chain -> UI "neutral, lacking security" [chrome-1] | |
Chrome 42 (released 2015-04-14): | |
Leaf certs expiring (2016-01-01 - 2016-12-16) with SHA-1 sig in chain -> UI "secure, but with minor errors"; | |
Leaf certs expiring >= 2017-01-01 with SHA-1 sign in chain -> UI "affirmatively insecure" [chrome-1][filippo] | |
Firefox 43 (released 2015-12-15): | |
Leaf certs issued >= 2016-01-01 with SHA-1 sig in chain -> skippable click-through error [moz-1] | |
Chrome 48 (released 2016-01-20): | |
Leaf certs issued >= 2016-01-01 with SHA-1 sig in chain and chains to public root CA -> skippable click-through error [chrome-2] | |
Chrome >48 (sometime in 2016): | |
Leaf certs with SHA-1 sig in chain and chains to public root CA -> unskippable fatal error [chrome-2] | |
Edge, IE, Windows - Summer 2016 (released 2016-07-24): | |
Leaf certs with SHA-1 sig in chain and chains to public root CA -> UI "no lock icon" [ms-3] | |
Firefox 51 (release ~2017-01; phased rollout starting 2016-11-07): | |
Leaf certs with SHA-1 sig in chain and chains to public root CA -> skippable click-through error [moz-2][kaply] | |
Edge, IE, Windows (2017-02-14): | |
"Windows will no longer trust certificates signed with SHA-1" [ms-1] | |
"both Edge and IE will block SHA-1 signed TLS certificates" [ms-3] | |
[chrome-1] https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html | |
[chrome-2] https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html | |
[cf] https://blog.cloudflare.com/sha-1-deprecation-no-browser-left-behind/ | |
[filippo] https://blog.filippo.io/the-unofficial-chrome-sha1-faq/ | |
[kaply] https://mike.kaply.com/2016/09/01/upcoming-changes-to-root-certificates-in-firefox-on-windows/ | |
[moz-1] https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/ | |
[moz-2] https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/ | |
[ms-1] https://aka.ms/sha1 | |
[ms-2] https://blogs.windows.com/msedgedev/2015/11/04/sha-1-deprecation-update/ | |
[ms-3] https://blogs.windows.com/msedgedev/2016/04/29/sha1-deprecation-roadmap/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment