In September and November of 2016, Google announced two major changes they plan to make in Chrome 56, which they will release near the end of January 2017. With the release of Chrome 56, Google will update the security indicator icon for HTTP connections, and will end support for SHA-1 certificates.
In one of the boldest moves yet for Google, sites that still use HTTP will be plainly marked “Not secure.”
In previous versions of Chrome, Google marked HTTP connections as not secure using only a neutral security icon. However, Google feels that the icon does not relay to users the appropriate lack of security of HTTP connections. To reinforce the importance of security, Chrome 56 will explicitly state “Not secure” accompanied by the neutral icon for any HTTP page that collects passwords, credit card details, or sensitive information.
Here is what the proposed change will look like:
Explicitly stating HTTP connections as “Not secure” is only one step Google is taking to ensure users are notified of unsecure pages. Eventually, Chrome will mark HTTP pages as “Not secure” in red lettering preceded by a red warning triangle.
The other change coming in Chrome 56 is the end of support for SHA-1. Ending support for SHA-1 in Chrome 56 will likely help organizations make the decision to transition to SHA-2. Although this change may come with some growing pains, ultimately the benefits to transitioning outweigh the costs, the transition to SHA-2 will help strengthen security for both an organization’s website and site visitors.
To help ease the transition from SHA-1 to SHA-2, DigiCert offers simple-to-follow steps and tools. There is still time to make the transition and our support team can help you if you need assistance at any point in the process.
Chrome 56 will not support SHA-1, however, Google recognizes there may be organizations who wish to continue using SHA-1 certificates within a private PKI. To give these organizations more time to make the move from SHA-1 to SHA-2, Google provides the EnableSha1ForLocalAnchors policy, which allows a SHA-1 certificate to be used in the certificate chain as long as it chains to a local trust anchor. Again, this is only meant to aid organizations to make the move to SHA-2 and is not intended to be a permanent solution.
Google plans to remove the policy set in January 2019. Google urges organizations to make the switch to SHA-2 sooner rather than later in order to strengthen security immediately.
This update to Chrome 56 brings with it changes that will no doubt help bolster website security and make the web safer for users.