Secure Hash Algorithm (SHA) is published by National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS), while SHA-1 is one hash function of SHA family, which is widely used by Certification Authorities (CAs) and Web site administrators for their SSL certificates.
However, in 2005, cryptanalysts found collision attacks on SHA-1 and proved that SHA-1 might not be secure enough. With computer speed getting faster and Internet service cheaper, it is simply a matter of time to abandoning SHA-1 and move to SHA-2. NIST Guidance recommended that SHA-1 certificates should not be trusted beyond 2014.
As the gateway to Internet, browsers have the responsibility to create a safer environment. Microsoft and Google have declared their roadmap of sunsetting SHA-1. We, Maxthon, in collaboration with other members of this industry, also decide to discontinue support for the SHA-1 certificate in our Maxthon browsers.
Here are our enforcement details:
On December 22th¹, 2016, Maxthon will release an update version to MX5: V5.0.2.1000². From this version on, sites with SHA-1 based signature as part of the certificate chain will be implemented with additional UI indicator, reminding users the current page is not safe, though these sites will continue to work and users could visit them at their own risk.
As a browser that takes security and privacy at high priority, Maxthon already has our additional security check system: Maxthon Internet Authority, which is also supported by many third-party certification authorities. So after V5.0.2.1000, in addition to the already existed Maxthon Internet Authority check, Secure Hash Algorithm check will also be applied and will be in higher priority than the former.
Sites beginning with “https://”
In V5.0.2.1000 or later, websites that are using SSL certificates with SHA-1 based signatures, whether validated by Maxthon Internet Authority check or not, will be shown “INSECURE” with a red lock as following³:
Sites that are using SSL certificates with SHA-2 based signatures, whether validated by Maxthon Internet Authority check or not, will be shown “SECURE” with a green lock as following:
However, if the SSL certificate with SHA-2 based signature has expired or is not yet valid, “INSECURE” with a red lock will also be shown, whether this site is validated by Maxthon Internet Authority check or not.
Sites beginning with “http://”
For “http://” websites, there will be no SHA check but only Maxthon Internet Authority check supported by third-party certification authorities.
Given that, websites validated by Maxthon Internet Authority check will be shown with a green shield before the URL, while nothing will be shown if this site is not validated.
By this SHA-1 deprecation plan, we hope to bring awareness to Internet security and help create a safer browsing environment. We encourage Certification Authorities and website administrators to upgrade their certificates to a stronger security configuration.
Note: More security warning will be added to the Developer Tools console in future updated versions. Please stay tuned.
1 & 2: Release date and version are subject to change, but we will surely get this plan off the ground before January 1st, 2017
3: All above design screenshots are for reference purpose only and subject to change.