{"id":474,"date":"2014-08-28T14:26:57","date_gmt":"2014-08-28T22:26:57","guid":{"rendered":"http:\/\/unmitigatedrisk.com\/?p=474"},"modified":"2014-09-03T09:04:22","modified_gmt":"2014-09-03T17:04:22","slug":"what-will-chromes-sha1-early-warning-look-like","status":"publish","type":"post","link":"https:\/\/unmitigatedrisk.com\/?p=474","title":{"rendered":"What will Chrome\u2019s SHA1 early warning look like?"},"content":{"rendered":"

NOTE<\/strong>:\u00a0Google has since revised its plan to enable a more gradual migration to SHA256<\/a>, this post is no longer accurate.<\/p>\n

For the last few weeks there has been an ongoing discussion on the Chromium security-dev mailing list<\/a>\u00a0on how Google intends to implement a user interface change to warn users that a SHA1 certificate is in use.<\/p>\n

I wont talk to the reasoning behind this change or to the current and future security properties of SHA1 in this post but I thought some folks might be interested in what this might ultimately look like. I say might because right now there is only a mail thread and who knows how things will evolve and what the copy would be in such user interfaces.<\/p>\n

With that said the thread does describe what affordances\u00a0they intend to use\u00a0when a site has a certificate where it or the corresponding certificate chain has SHA1 based signature in it (excluding the root) that expires after\u00a02016\/1\/1<\/span>\u00a0the user interface may\u00a0be \u201cdegraded\u201d for these sessions.<\/p>\n

At this time it seems the \u201cred x\u201d that is used for mixed content will be used; if so this will look something like this:<\/p>\n

\u00a0\"1\"<\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

For the SHA1 certificates that expire after\u00a02017\/1\/1\u00a0i<\/span>f that page contains active content such as JavaScript and CSS that is served over a SSL session with such a certificate they will not be loaded unless the user explicitly chooses to approve their execution, this would look something like this:<\/p>\n

\"2\"<\/a><\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

Again for SHA1 certificates that expire after\u00a02017\/1\/1<\/span>\u00a0if the page contains passive content (such as images) that is served over a SSL session with such a certificate it will not be loaded unless the user chooses to do so and the lock will get a yellow arrow, which will look something like this:<\/p>\n

\"3\"<\/a><\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

Which combinations of these things one will\u00a0see would\u00a0be dependent on the specific combination of conditions\u00a0but this will give you some idea on what these changes may look like.<\/p>\n

Ryan<\/p>\n","protected":false},"excerpt":{"rendered":"

NOTE:\u00a0Google has since revised its plan to enable a more gradual migration to SHA256, this post is no longer accurate. For the last few weeks there has been an ongoing discussion on the Chromium security-dev mailing list\u00a0on how Google intends to implement a user interface change to warn users that a SHA1 certificate is in […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[3,4],"tags":[6,143,144],"class_list":["post-474","post","type-post","status-publish","format-standard","hentry","category-security","category-thoughts","tag-ssl","tag-user-experience","tag-ux"],"_links":{"self":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts\/474","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=474"}],"version-history":[{"count":0,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts\/474\/revisions"}],"wp:attachment":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=474"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=474"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=474"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}