Google’s Plans for SHA-1 Certificates

Google plans to retire SHA-1 certificates – and it may be sooner than anticipated.

SHA-1 – Heading For the Graveyard

SHA-1’s demise has been certain for a decade – it was shown to be theoretically vulnerable to attack as early as 2005. Current plans drawn up by the CA/B Forum (the industry’s trade association) will halt creation of new SHA-1 certificates as of January 1, 2016 and deprecate all SHA-1 certificate use by January 1, 2017.

Recent studies now suggest that SHA-1 will be compromised much sooner – and more affordably – than previously thought. Google and other technology companies are thus considering moving up their retirement deadlines. (A draft CA/B Forum proposal to allow limited SHA-1 certificate issuance through the end of 2016 was also put to rest – security cognoscenti want SHA-1 off the board as soon as humanly possible.)

Google’s Accelerated Retirement Plan

Google plans a two step process. In the first stage (already underway) SHA-1 certificates encountered by Chrome are flagged with warning messages and display cues. The second – complete rejection of all SHA-1 certificates – may be brought forward six months, to July 1 2016.

Both Mozilla and Microsoft are also considering this accelerated deadline for their browsers, while CloudFlare and Facebook are setting up workarounds for the small percentage of their users who have no alternative to SHA-1 certificates.

Check back with – we’ll keep you up to date as this story develops.

Subscribe to’s Newsletter

Don’t miss new articles and updates from

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.