{"id":2135,"date":"2016-10-18T07:40:30","date_gmt":"2016-10-18T14:40:30","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2135"},"modified":"2016-10-18T07:40:30","modified_gmt":"2016-10-18T14:40:30","slug":"phasing-out-sha-1-on-the-public-web","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2016\/10\/18\/phasing-out-sha-1-on-the-public-web\/","title":{"rendered":"Phasing Out SHA-1 on the Public Web"},"content":{"rendered":"

An algorithm we\u2019ve depended on for most of the life of the Internet \u2014 SHA-1 \u2014 is aging, due to both mathematical and technological advances. Digital signatures incorporating the SHA-1 algorithm may soon be forgeable by sufficiently-motivated and resourceful entities.<\/p>\n

Via our and others\u2019 work in the CA\/Browser Forum<\/a>, following our deprecation plan announced last year<\/a> and per recommendations by NIST<\/a>, issuance of SHA-1 certificates mostly halted for the web last January, with new certificates moving to more secure algorithms. Since May 2016, the use of SHA-1 on the web fell from 3.5% to 0.8% as measured by Firefox Telemetry<\/a>.<\/p>\n

In early 2017, Firefox will show an overridable \u201cUntrusted Connection<\/a>\u201d error whenever a SHA-1 certificate is encountered that chains up to a root certificate included in Mozilla\u2019s CA Certificate Program<\/a>. SHA-1 certificates that chain up to a manually-imported root certificate, as specified by the user, will continue to be supported by default; this will continue allowing certain enterprise root use cases<\/a>, though we strongly encourage everyone to migrate away from SHA-1 as quickly as possible.<\/p>\n

This policy has been included as an option in Firefox 51<\/a>, and we plan to gradually ramp up its usage. \u00a0Firefox 51 is currently in Developer Edition, and is currently scheduled for release in January 2017. We intend to enable this deprecation of SHA-1 SSL certificates for a subset of Beta users during the beta phase for 51 (beginning November 7) to evaluate the impact of the policy on real-world usage. As we gain confidence, we\u2019ll increase the number of participating Beta users. Once Firefox 51 is released in January, we plan to proceed the same way, starting with a subset of users and eventually disabling support for SHA-1 certificates from publicly-trusted certificate authorities in early 2017.<\/p>\n

Questions about SHA-1 based certificates should be directed to the mozilla.dev.security.policy<\/a> forum.<\/p>\n","protected":false},"excerpt":{"rendered":"

An algorithm we\u2019ve depended on for most of the life of the Internet \u2014 SHA-1 \u2014 is aging, due to both mathematical and technological advances. Digital signatures incorporating the SHA-1 … Read more<\/a><\/p>\n","protected":false},"author":1349,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[45538,69,45499],"tags":[],"coauthors":[],"yoast_head":"\nPhasing Out SHA-1 on the Public Web - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2016\/10\/18\/phasing-out-sha-1-on-the-public-web\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"J.C. Jones\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2016\/10\/18\/phasing-out-sha-1-on-the-public-web\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2016\/10\/18\/phasing-out-sha-1-on-the-public-web\/\",\"name\":\"Phasing Out SHA-1 on the Public Web - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2016-10-18T14:40:30+00:00\",\"dateModified\":\"2016-10-18T14:40:30+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/f2bfcea9a0c404ce2431925922bedbde\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2016\/10\/18\/phasing-out-sha-1-on-the-public-web\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2016\/10\/18\/phasing-out-sha-1-on-the-public-web\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2016\/10\/18\/phasing-out-sha-1-on-the-public-web\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Phasing Out SHA-1 on the Public Web\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/f2bfcea9a0c404ce2431925922bedbde\",\"name\":\"J.C. Jones\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/d063fc46e7671301c178b2781210dff7\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/64eb1412c9354cf356df31936368cdac?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/64eb1412c9354cf356df31936368cdac?s=96&d=identicon&r=g\",\"caption\":\"J.C. Jones\"},\"description\":\"Keeping people safe on the 'net. Cryptography Engineering lead for Firefox.\",\"sameAs\":[\"https:\/\/tacticalsecret.com\/\",\"https:\/\/x.com\/JamesPugJones\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Phasing Out SHA-1 on the Public Web - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2016\/10\/18\/phasing-out-sha-1-on-the-public-web\/","twitter_misc":{"Written by":"J.C. Jones","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2016\/10\/18\/phasing-out-sha-1-on-the-public-web\/","url":"https:\/\/blog.mozilla.org\/security\/2016\/10\/18\/phasing-out-sha-1-on-the-public-web\/","name":"Phasing Out SHA-1 on the Public Web - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2016-10-18T14:40:30+00:00","dateModified":"2016-10-18T14:40:30+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/f2bfcea9a0c404ce2431925922bedbde"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2016\/10\/18\/phasing-out-sha-1-on-the-public-web\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2016\/10\/18\/phasing-out-sha-1-on-the-public-web\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2016\/10\/18\/phasing-out-sha-1-on-the-public-web\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Phasing Out SHA-1 on the Public Web"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/f2bfcea9a0c404ce2431925922bedbde","name":"J.C. Jones","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/d063fc46e7671301c178b2781210dff7","url":"https:\/\/secure.gravatar.com\/avatar\/64eb1412c9354cf356df31936368cdac?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/64eb1412c9354cf356df31936368cdac?s=96&d=identicon&r=g","caption":"J.C. Jones"},"description":"Keeping people safe on the 'net. Cryptography Engineering lead for Firefox.","sameAs":["https:\/\/tacticalsecret.com\/","https:\/\/x.com\/JamesPugJones"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2135"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1349"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2135"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2135\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2135"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}