Many of the certificates used by secure websites today are signed using algorithms based on a hash algorithm called SHA-1. The integrity of the hash algorithm used in signing a certificate is a critical element in the security of the certificate. Weaknesses in hash algorithms can lead to situations in which attackers can obtain fraudulent certificates. Mozilla, along with other browser vendors, is working on a plan to phase out support for the SHA-1 hash algorithm.
SHA-1 is nearly twenty years old, and is beginning to show its age. In the last few years, collision attacks undermining some properties of SHA-1 have been getting close to being practical. Collision attacks against the older MD5 hash algorithm have been used to obtain fraudulent certificates, so the improving feasibility of collision attacks against SHA-1 is concerning. In order to avoid the need for a rapid transition should a critical attack against SHA-1 be discovered, we are proactively phasing out SHA-1.
We encourage Certification Authorities (CAs) and Web site administrators to upgrade their certificates to use signature algorithms with hash functions that are stronger than SHA-1, such as SHA-256, SHA-384, or SHA-512. Mozilla’s CA Certificate Maintenance Policy section 8 says: “We consider the following algorithms and key sizes to be acceptable and supported in Mozilla products: SHA-1 (until a practical collision attack against SHA-1 certificates is imminent) …” NIST Guidance recommended that SHA-1 certificates should not be trusted beyond 2014. However, there are still many Web sites that are using SSL certificates with SHA-1 based signatures, so we agree with the positions of Microsoft and Google that SHA-1 certificates should not be issued after January 1, 2016, or trusted after January 1, 2017. In particular, CAs should not be issuing new SHA-1 certificates for SSL and Code Signing, and should be migrating their customers off of SHA-1 intermediate and end-entity certificates. If a CA still needs to issue SHA-1 certificates for compatibility reasons, then those SHA-1 certificates should expire before January 2017. More information is available in Mozilla’s list of Potentially Problematic CA Practices.