Google and others have been aiming to make the use of website certificates easier, cheaper and therefore more common amongst website providers. The intent being that this makes the internet a safer, more reliable and trustworthy place for everyone. One key issue is making something technically complex, visible and easy to recognise by the average user.

It’s now very clear that SHA-1 signature algorithm is well and truly compromised and should not be used to issue certificates at all. As a consequence of this, Firefox and Google Chrome now no longer accept older SHA-1 certificates when they encounter them on a website and flag the site as “insecure”.

It’s important that the average user understands what’s going on and whether or not they can trust the connection and therefore the website they are looking at. This flagging indication of the status of the SSL connection has undergone a number of iterations in Chrome especially, as the process has been evolving over the past year of so.

A recent change in Chrome has removed the capability to immediately see the actual certificate that is being used by a website. Until this latest release, it used to be possible to view the details of the certificate with a couple of clicks of the mouse. In it’s place there’s a link to “Learn More” which leads the user to a comprehensive explanation of the certificate process. Now it’s only by firing up the Developer Tools window that it’s possible to see the certificate information.

A really detailed explanation of Chrome HTTPS UX and the thinking behind it is on one of Google’s Security Engineer’s blog noncombatant’s blog post.

Mozilla and The End of SHA-1 on the Public Web

Decoding Chrome’s HTTPS User Interface

SHA-1 Is Broken

If you need any help or advice regarding SSL certification, please get in touch with our team.