Affecting SHA-1 certificates issued by public CA will no longer be accepted

Published: | Categories: Privacy & Security

Description

The support for SSL certificates using the weak SHA-1 hash algorithm has been deprecated since Firefox 36. SHA-1 certificates issued after are no longer accepted since Firefox 48 except for manually-imported root certificates.

Firefox 53 coming removes the period condition so that any SHA-1 certificates issued by a public certificate authority will lead to the Untrusted Connection error. According to Mozilla’s announcement, the current SHA-1 usage is less than 1%, and the support deprecation will be gradually expanded during the Firefox 51 Beta cycle while evaluating the impact.

If the Web Console warns about a SHA-1 certificate when loading your site, contact the issuer immediately to replace it with a new SHA-2 certificate for free, regardless of the validity period.

Update: Fixed the affected version: not Firefox 51 but 53.

Update 2: Given that Google Chrome 56 has already removed the SHA-1 support in January 2017, Mozilla plans to make this change earlier with Firefox 52 shipping in March. We’ve updated this note’s version again accordingly.

Update 3: According to a comment in the bug, if you still see the error page in Firefox after replacing your certificate, the intermediate certificate(s) may need to be updated as well in case those have been reissued by the certificate authority (CA) in recent years. Other browsers may not show any error for such cases depending on their policy. See the list of affected sites.

Update 4: In reaction to Google’s announcement of the first practical SHA-1 collision, Mozilla has remotely disabled the SHA-1 support for all Firefox users on , without waiting for the final release of Firefox 52 on .

References