> Have Gecko or WebKit shipped or considered this already? Are we coordinating with them on this?
We usually poke them after we have some initial data from a Finch rollout. AFAIK, all browsers currently support SHA1 in server signature algorithms. The main issue we expect is a specific (now very old and unsupported) version of Microsoft IIS that needed to be explicitly configured to support SHA256. > We should stick this change behind a flag, if it isn't already. (This is an I2P, so maybe you're getting to that :)). We did already! But Chrome Status didn't prompt me for it yet. chrome://flags#use-sha1-server-handshakes. We also have a corresponding Finch flag and enterprise policy, etc. in Canary. On Mon, Apr 3, 2023 at 1:55 PM Mike Taylor <[email protected]> wrote: > Hi David, > On 4/3/23 12:58 PM, 'David Adrian' via blink-dev wrote: > > Contact emails [email protected] > > Explainer None > > Specification https://www.rfc-editor.org/rfc/rfc9155.html > > Summary > > Chrome is removing support for signature algorithms using SHA-1 for server > signatures during the TLS handshake. This does not affect SHA-1 support in > server certificates, which was already removed, or in client certificates, > which continues to be supported. > > > Blink component Internals>Network>SSL > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3ESSL> > > Motivation > > SHA1 has known collisions, and while difficult to exploit in practice, > should be avoided. Removing SHA1 support from server signatures removes the > ability for a future attacker to exploit some sort of collision in SHA1 to > impersonate a server. The use of SHA1 in TLS has already been deprecated by > the IETF in RFC 9155. This does not affect client certificates. The > decision of whether or not to accept SHA1 in client certificates can be > made by server operators who have deployed mTLS. > > > Initial public proposal > > Search tags tls <https://chromestatus.com/features#tags:tls>, ssl > <https://chromestatus.com/features#tags:ssl>, sha1 > <https://chromestatus.com/features#tags:sha1> > > TAG review > > TAG review status Not applicable > > Risks > > > Interoperability and Compatibility > > *Gecko*: No signal > > *WebKit*: No signal > > Have Gecko or WebKit shipped or considered this already? Are we > coordinating with them on this? > > > *Web developers*: No signals > > *Other signals*: > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > > Debuggability > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ? No > > Flag name > > We should stick this change behind a flag, if it isn't already. (This is > an I2P, so maybe you're getting to that :)). > > > > Requires code in //chrome? False > > Tracking bug https://bugs.chromium.org/p/chromium/issues/detail?id=658905 > > Launch bug https://launch.corp.google.com/launch/4233200 > > Estimated milestones > > No milestones specified > > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/4832850040324096 > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42JGCECAtUFRX6S%2BVriRJrVAwGUUquad6xgDGfiji81ZHg%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42JGCECAtUFRX6S%2BVriRJrVAwGUUquad6xgDGfiji81ZHg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2Bj_oXWXy4Qfh6npHh4HO5qXpo6ivYdNXuMjwMvutS%3Dsw%40mail.gmail.com.
