Maxthon SHA-1 Certificates Deprecation Plan

Secure Hash Algorithm (SHA) is published by National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS), while SHA-1 is one hash function of SHA family, which is widely used by Certification Authorities (CAs) and Web site administrators for their SSL certificates.

However, in 2005, cryptanalysts found collision attacks on SHA-1 and proved that SHA-1 might not be secure enough. With computer speed getting faster and Internet service cheaper, it is simply a matter of time to abandoning SHA-1 and move to SHA-2. NIST Guidance recommended that SHA-1 certificates should not be trusted beyond 2014.

As the gateway to Internet, browsers have the responsibility to create a safer environment. Microsoft and Google have declared their roadmap of sunsetting SHA-1. We, Maxthon, in collaboration with other members of this industry, also decide to discontinue support for the SHA-1 certificate in our Maxthon browsers.

 

Here are our enforcement details:

On December 22th¹, 2016, Maxthon will release an update version to MX5: V5.0.2.1000². From this version on, sites with SHA-1 based signature as part of the certificate chain will be implemented with additional UI indicator, reminding users the current page is not safe, though these sites will continue to work and users could visit them at their own risk.

As a browser that takes security and privacy at high priority, Maxthon already has our additional security check system: Maxthon Internet Authority, which is also supported by many third-party certification authorities. So after V5.0.2.1000, in addition to the already existed Maxthon Internet Authority check, Secure Hash Algorithm check will also be applied and will be in higher priority than the former.

 

Sites beginning with “https://”

In V5.0.2.1000 or later, websites that are using SSL certificates with SHA-1 based signatures, whether validated by Maxthon Internet Authority check or not, will be shown “INSECURE” with a red lock as following³:

insecure

Sites that are using SSL certificates with SHA-2 based signatures, whether validated by Maxthon Internet Authority check or not, will be shown “SECURE” with a green lock as following:

secure

However, if the SSL certificate with SHA-2 based signature has expired or is not yet valid, “INSECURE” with a red lock will also be shown, whether this site is validated by Maxthon Internet Authority check or not.

insecure

 

Sites beginning with “http://”

For “http://” websites, there will be no SHA check but only Maxthon Internet Authority check supported by third-party certification authorities.

Given that, websites validated by Maxthon Internet Authority check will be shown with a green shield before the URL, while nothing will be shown if this site is not validated.

http-link

By this SHA-1 deprecation plan, we hope to bring awareness to Internet security and help create a safer browsing environment. We encourage Certification Authorities and website administrators to upgrade their certificates to a stronger security configuration.

 

Note: More security warning will be added to the Developer Tools console in future updated versions. Please stay tuned.

1 & 2: Release date and version are subject to change, but we will surely get this plan off the ground before January 1st, 2017

3: All above design screenshots are for reference purpose only and subject to change.


Posted

in

,

by

Comments

5 responses to “Maxthon SHA-1 Certificates Deprecation Plan”

  1. jimena Avatar
    jimena

    I like this website

    1. maxthon Avatar
      maxthon

      Hi jimena, it’s my honor to have your “like”!!!

  2. […] Browsers that discontinued support for SHA-1 will illustrate error or special notification when you …, and suggest that you should not enter sensitive information on those sites to protect your privacy. Conversely, browsers that still support SHA-1 certificate will not give any reminder. […]

  3. fernando morales Avatar

    hola, soy un usuario regular de maxthon, de varios años.
    tengo un sitio web con SSL que todos los navegadores muestran con el candado verde,por ejemplo firefox, edge, opera entre otros.
    maxthon lo muestra en color naranja, es decir como sitio seguro , pero aun no validado por maxthon.
    cual seria la manera correcta de validarlo para que mostrara el candado en verde ?
    o a quien deberia dirigirme ?

    saludos

    fernando morales
    feralf.com

  4. www.webroot.com/safe Avatar

    Webroot applications is among the proven best Antivirus software.
    If you own a device or system and you are connecting it to iinternet or a different ddevice then you
    have to have anti virus software. Virus or some other risaky threat
    like Malware, Trojan, Spyware, Rootkit orr internet hacking orr
    attack may slip ykur data and damage your system. And also to save your syystem from such
    snacks, install antivirus software called webroot from http://www.webroot.com/safe and protected your system.

    Although the practice of Webroot setup can be performed by you readily from webroot.com/safe some procedure may bother
    you because of some conflicting beyween system and applications or
    other application. And yoou may search for the help to complete the procedure and
    resolve the difficulties. We support by trained cadre who
    is ready to support you 24/7.

Leave a Reply

Your email address will not be published. Required fields are marked *