SHA-1-based certificates with validity period from 2016 will not be validated

Published: | Categories: Privacy & Security

Description

The support for certificates using the weak SHA-1 hash algorithm has been deprecated since Firefox 36. As a part of the deprecation process, SHA-1-based certificates with a period of validity beginning on or after are no longer validated by Firefox 43 and later, and “This Connection is Untrusted” alert page will be displayed on sites using such a certificate.

Webmasters: Open the Web Console, load your site, and make sure a SHA-1-based certificate is not used. If the Console warns about a SHA-1-based certificate, contact the issuer to replace it with a new SHA-2-based one for free, regardless of the validity period. Firefox, among other browsers, will show the Untrusted Connection error message for all SHA-1-based certificates after .

Update: It has been reported that some Firefox users with MITM software installed on their computer are no longer able to visit any HTTPS sites due to the dynamically-generated certificates. After some discussion, this change has been reverted with Firefox 43.0.4 to allow Mozilla developers to investigate the scope of this risk. See also the Mozilla Security Blog.

Update: This restriction has been reintroduced with Firefox 48 but with an exception of locally-installed root certificates, which is intended to avoid compatibility issues with MITM software. Any SHA-1 certificates issued by a public CA after January 2016 will be rejected.

Update The SHA-1 support will be disabled in January 2017.

References