Browser support for SSL with SHA1 signed certificates ending
Chrome, Firefox and Internet Explorer are making the move to discourage the use of SHA1. Microsoft started the push for changing from SHA1 to SHA2 about 1 year ago, Google is choosing to be aggressive in what it shows to users of Chrome browser which is due around November 20 something.
With Chrome
Chrome will start the process of sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November. HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome’s user interface.
Chrome 40 after the holidays
Sites with end-entity certificates that expire between 1 June 2016 to 31 December 2016 (inclusive), and which include a SHA-1-based signature as part of the certificate chain, will be treated as “secure, but with minor errors”. Sites with end-entity certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as “neutral, lacking security”.
Chrome 41 first quarter 2015
Sites with end-entity certificates that expire between 1 January 2016 and 31 December 2016 (inclusive), and which include a SHA-1-based signature as part of the certificate chain, will be treated as “secure, but with minor errors”.
Sites with end-entity certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as “affirmatively insecure”. Subresources from such domain will be treated as “active mixed content”. The current visual display for “affirmatively insecure” is a lock with a red X, and a red strike-through text treatment in the URL scheme.
The full article – http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html
With Firefox
For instance, after January 1, 2016, we plan to show the “Untrusted Connection” error whenever a newly issued SHA-1 certificate is encountered in Firefox. After January 1, 2017, we plan to show the “Untrusted Connection” error whenever a SHA-1 certificate is encountered in Firefox.
The full article – https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
With Internet Explorer
Microsoft is requesting that Certificate Authorities stop issuing new SHA-1 SSL and code signing certificates by 1 January 2016. With regards to SSL certificates, Windows (Internet Explorer) will no longer recognize or accept SHA-1 certificates from 1 January 2017
The full article – https://technet.microsoft.com/library/security/2880823 and http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
To check a certificate on a website – https://ssltools.websecurity.symantec.com/checker/
Michael Spice can help you with testing, and getting certificates re-signed by your certificate authority.