You are here
- Home
- Certificate Service
- Groups
- SHA-1 and Google Chrome
Group administrators:
Recent members:
SHA-1 and Google Chrome
SHA-1 and Google Chrome: 20 November 2014
On 18 November Google released Chrome 39 which will now result in users visiting web services secured with SHA-1 certificates that expire in 2017 being shown a grey padlock with a yellow warning triangle, instead of the usual recognisable green padlock.
Chrome 39 still indicates it is a secure and encrypted connection but states that "The site is using outdated security settings that may present future versions of Chrome from being able to safely access it".
We strongly recommend that customers replace these affected certificates promptly, and certainly before Chrome 41 (out in early 2015) when users will then be presented with a pop-up window warning of an unsecure and unencrypted connection. On 14 November your JCS account was applied with credits to enable you to replace affected certificates at no cost.
Comments
Do you have a mechanism for us to request SHA-1 certs expiring at end of 2015?
This currently seems to be the best solution for sites which need to support visitors using Windows XP SP2 (see https://bugzilla.mozilla.org/show_bug.cgi?id=1064387#c5). We (hopefully) wouldn't want to do this for all of our affected servers but might need it for the servers involved in recruitment of overseas students.
This obviously doesn't really fix things it just avoids the warnings for twelve months in the hope that XP SP2 usage will decline.
Hi Paul,
It is still possible to get SHA-1 certificates through the service, but these have to be requested manually by the Janet Service Desk.
You will need to email the desk (certificates@ja.net) to request it, making sure you have enough credits on your account. Please specify the type of certificate required together with the email address for the Domain Control Validation response step.
Sorry the correct email address to use is now certificates@jisc.ac.uk, we're still getting used to the email switchover. The other address will still work however for the next 12 months.