Starting in Firefox 51, Mozilla’s web browser will display an error when a SHA-1 certificate is encountered that chains up to a root certificate included in Mozilla’s CA Certificate Program.
Designed over two decades ago, the SHA-1 algorithm has become an important Internet security standard used in HTTPS connections, but recent research has revealed that the cost of breaking the SHA-1 cryptographic hash function is lower than previously estimated.
As a result, many tech companies decided to sunset the algorithm, with Google first announcing such plans in Sept. 2014. Last year, the company revealed that it might start rejecting SHA-1 certificates this year, sooner than initially intended.
Although Mozilla announced similar plans last year, in January, after Firefox 43 began rejecting new SSL certificates that use the SHA-1 cryptographic hash function, they re-enabled the support after evaluating the impact on users. In February, the company allowed Symantec to issue nine new SHA-1-based SSL certificates to payment processor Worldpay.
Starting with Feb. 2017, the Microsoft Edge and Internet Explorer browsers will both start blocking SHA-1 signed TLS certificates, the tech giant announced several months ago.
Beginning Jan. 2017, Firefox 51 will show “an overridable “Untrusted Connection” error whenever a SHA-1 certificate is encountered that chains up to a root certificate included in Mozilla’s CA Certificate Program,” Mozilla says now. The company also notes that SHA-1 certificates that chain up to manually-imported root certificates will continue to be supported by default, so that enterprises could continue using SHA-1 certificates.
The issuance of SHA-1 certificates mostly halted for the public web in January this year, and new certificates have adopted more secure algorithms, the company says. Thus, the use of SHA-1 on the Internet dropped from 3.5% to 0.8%, Firefox Telemetry data shows.
Mozilla said that it would enable the deprecation of SHA-1 SSL certificates for some of its Firefox 51 Beta users (the beta phase will start November 7), “to evaluate the impact of the policy on real-world usage.” Once Firefox 51 arrives in Jan 2017, the company will disable support for SHA-1 certificates from publicly-trusted certificate authorities for a small subset of users, but will include more users afterwards, eventually completely disabling the algorithm.