davi...@chromium.orgExplainer
NoneSpecification
https://www.rfc-editor.org/rfc/rfc9155.htmlSummary
Chrome is removing support for signature algorithms using SHA-1 for server signatures during the TLS handshake. This does not affect SHA-1 support in server certificates, which was already removed, or in client certificates, which continues to be supported.
Blink component
Internals>Network>SSLSearch tags
tls, ssl, sha1TAG review
NoneTAG review status
Not applicableRisks
Interoperability and Compatibility
At most 0.02% of page loads use the SHA1 fallback. However, we cannot disambiguate between a flaky first connection, and actually requiring SHA1. We expect the actual amount is lower.
Gecko: No signal (
https://github.com/mozilla/standards-positions/issues/812)
WebKit: No signal (
https://github.com/WebKit/standards-positions/issues/196)
Web developers: No signals
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Goals for experimentation
Since this takes place before a document is loaded, sites cannot opt-in. We plan on doing a 1% stable experiment and monitoring any increase in page load failures and SSL failures.
This experiment is managed via Finch, not as an Origin / Deprecation Trial.
Sites that are incapable of SHA2 signatures would fail to load. However, we believe the actual set of sites that don't support SHA2 is very small. Due to how negotiation works in TLS, we can't tell the difference between "prefers SHA1 to SHA2, but has a flaky network" and "only supports SHA1". In the worst case, this is 0.02% of TLS connections. In the best case, this is 0%.
Ongoing technical constraints
None
Debuggability
n/a, this happens pre-devtools
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
YesNoFlag name
use-sha1-server-handshakesRequires code in //chrome?
FalseTracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=658905Launch bug
https://launch.corp.google.com/launch/4233200Estimated milestones
Shipping on desktop | 117 |
OriginTrial desktop last | 116 |
OriginTrial desktop first | 115 |
DevTrial on desktop | 115 |
Shipping on Android | 117 |
OriginTrial Android last | 116 |
OriginTrial Android first | 115 |
DevTrial on Android | 115 |
OriginTrial webView last | 116 |
OriginTrial webView first | 115 |
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/4832850040324096Links to previous Intent discussions
https://groups.google.com/a/chromium.org/g/blink-dev/c/ZdpqIOKTHeMhttps://groups.google.com/a/chromium.org/g/blink-dev/c/rfPtQpqNixk/m/WF3a12okCgAJ