Skip to main content

Google Chrome takes on SHA-1 for Internet safety

Even if all people are created equal, power is not distributed equally; big players direct the world. In other words, if a company or person has enough power, they can influence policy and change, while the little guys tend to follow their lead. Sure, it may be a cynical point of view, and not an absolute, but as a little guy, it seems to be rather constant.

Today, one of those big companies, Google, is influencing the internet yet again, by effectively killing SHA-1. How is it doing this? Well, the search giant is declaring SHA-1 to no longer be safe, so starting with Chrome 39, sites that use it will no longer be considered totally secure. Since the company's browser has such a large install-base, this should cause webmasters to abandon SHA-1 at a faster rate. Is Google correct to do this?

"The SHA-1 cryptographic hash algorithm has been known to be considerably weaker than it was designed to be since at least 2005 — 9 years ago. Collision attacks against SHA-1 are too affordable for us to consider it safe for the public web PKI. We can only expect that attacks will get cheaper", says Google.

The search-giant further explains, "we plan to surface, in the HTTPS security indicator in Chrome, the fact that SHA-1 does not meet its design guarantee. We are taking a measured approach, gradually ratcheting down the security indicator and gradually moving the timetable up (keep in mind that we release stable versions of Chrome about 6-8 weeks after their branch point".

Google is smart to not do this abruptly - it is giving webmasters time to make their sites more secure, based on the certificate expiration date. It is hard to criticise the search-giant for taking this approach; however, I would prefer to have seen a team effort. In other words, Google should have worked with Microsoft, Mozilla, Opera and others, so that all browsers can be on the same page and timetable. It will be confusing when a site shows to be secure in Internet Explorer or Firefox, but not Chrome.

Over time, Google will gradually treat these SHA-1 secured sites with the following proclamations and associated visual cues:

1.) Step 1 -- Secure, but with minor errors


2.) Step 2 -- Neutral, lacking security


3.) Step 3 -- Affirmatively insecure


So, is Google correct to use its influence to push its agenda? In this case, yes; the web will be more secure as a result. Still, as I stated earlier, I would rather this be a concerted effort between Google and other browser developers. The search giant doesn't always have to be the lone hero.

Image Credit: wk1003mike / Shutterstock

Read more: How to check whether your online accounts have been compromised