Intent to Prototype: Deprecate TLS SHA-1 server signatures

625 views
Skip to first unread message

David Adrian

unread,
Apr 3, 2023, 12:59:01 PM4/3/23
to blink-dev, Bob Beck

Contact emails

dad...@google.com

Explainer

None

Specification

https://www.rfc-editor.org/rfc/rfc9155.html

Summary

Chrome is removing support for signature algorithms using SHA-1 for server signatures during the TLS handshake. This does not affect SHA-1 support in server certificates, which was already removed, or in client certificates, which continues to be supported.



Blink component

Internals>Network>SSL

Motivation

SHA1 has known collisions, and while difficult to exploit in practice, should be avoided. Removing SHA1 support from server signatures removes the ability for a future attacker to exploit some sort of collision in SHA1 to impersonate a server. The use of SHA1 in TLS has already been deprecated by the IETF in RFC 9155. This does not affect client certificates. The decision of whether or not to accept SHA1 in client certificates can be made by server operators who have deployed mTLS.



Initial public proposal



Search tags

tlssslsha1

TAG review



TAG review status

Not applicable

Risks



Interoperability and Compatibility



Gecko: No signal

WebKit: No signal

Web developers: No signals

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?



Debuggability



Is this feature fully tested by web-platform-tests?

No

Flag name



Requires code in //chrome?

False

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=658905

Launch bug

https://launch.corp.google.com/launch/4233200

Estimated milestones

No milestones specified



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/4832850040324096

This intent message was generated by Chrome Platform Status.

Mike Taylor

unread,
Apr 3, 2023, 3:55:50 PM4/3/23
to David Adrian, Bob Beck, blink-dev

Hi David,

On 4/3/23 12:58 PM, 'David Adrian' via blink-dev wrote:

Contact emails

dad...@google.com

Explainer

None

Specification

https://www.rfc-editor.org/rfc/rfc9155.html

Summary

Chrome is removing support for signature algorithms using SHA-1 for server signatures during the TLS handshake. This does not affect SHA-1 support in server certificates, which was already removed, or in client certificates, which continues to be supported.



Blink component

Internals>Network>SSL

Motivation

SHA1 has known collisions, and while difficult to exploit in practice, should be avoided. Removing SHA1 support from server signatures removes the ability for a future attacker to exploit some sort of collision in SHA1 to impersonate a server. The use of SHA1 in TLS has already been deprecated by the IETF in RFC 9155. This does not affect client certificates. The decision of whether or not to accept SHA1 in client certificates can be made by server operators who have deployed mTLS.



Initial public proposal



Search tags

tlssslsha1

TAG review



TAG review status

Not applicable

Risks



Interoperability and Compatibility



Gecko: No signal

WebKit: No signal
Have Gecko or WebKit shipped or considered this already? Are we coordinating with them on this?


Web developers: No signals

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?



Debuggability



Is this feature fully tested by web-platform-tests?

No

Flag name

We should stick this change behind a flag, if it isn't already. (This is an I2P, so maybe you're getting to that :)).


Requires code in //chrome?

False

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=658905

Launch bug

https://launch.corp.google.com/launch/4233200

Estimated milestones

No milestones specified



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/4832850040324096

This intent message was generated by Chrome Platform Status.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42JGCECAtUFRX6S%2BVriRJrVAwGUUquad6xgDGfiji81ZHg%40mail.gmail.com.

David Adrian

unread,
Apr 3, 2023, 4:47:07 PM4/3/23
to Mike Taylor, Bob Beck, blink-dev
> Have Gecko or WebKit shipped or considered this already? Are we coordinating with them on this?
We usually poke them after we have some initial data from a Finch rollout. AFAIK, all browsers currently support SHA1 in server signature algorithms. The main issue we expect is a specific (now very old and unsupported) version of Microsoft IIS that needed to be explicitly configured to support SHA256.

> We should stick this change behind a flag, if it isn't already. (This is an I2P, so maybe you're getting to that :)).

We did already! But Chrome Status didn't prompt me for it yet. chrome://flags#use-sha1-server-handshakes. We also have a corresponding Finch flag and enterprise policy, etc. in Canary.
Reply all
Reply to author
Forward
0 new messages