Contact [email protected] [email protected] ExplainerNone
Specificationhttps://www.rfc-editor.org/rfc/rfc9155.html Summary Chrome is removing support for signature algorithms using SHA-1 for server signatures during the TLS handshake. This does not affect SHA-1 support in server certificates, which was already removed, or in client certificates, which continues to be supported. Blink componentInternals>Network>SSL <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3ESSL> Search tagstls <https://chromestatus.com/features#tags:tls>, ssl <https://chromestatus.com/features#tags:ssl>, sha1 <https://chromestatus.com/features#tags:sha1> TAG reviewNone TAG review statusNot applicable Risks Interoperability and Compatibility At most 0.02% of page loads use the SHA1 fallback. However, we cannot disambiguate between a flaky first connection, and actually requiring SHA1. We expect the actual amount is lower. *Gecko*: No signal ( https://github.com/mozilla/standards-positions/issues/812) *WebKit*: No signal ( https://github.com/WebKit/standards-positions/issues/196) *Web developers*: No signals *Other signals*: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Goals for experimentation Since this takes place before a document is loaded, sites cannot opt-in. We plan on doing a 1% stable experiment and monitoring any increase in page load failures and SSL failures. This experiment is managed via Finch, not as an Origin / Deprecation Trial. Experiment Risks Sites that are incapable of SHA2 signatures would fail to load. However, we believe the actual set of sites that don't support SHA2 is very small. Due to how negotiation works in TLS, we can't tell the difference between "prefers SHA1 to SHA2, but has a flaky network" and "only supports SHA1". In the worst case, this is 0.02% of TLS connections. In the best case, this is 0%. Ongoing technical constraints None Debuggability n/a, this happens pre-devtools Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?Yes Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?No Flag nameuse-sha1-server-handshakes Requires code in //chrome?False Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=658905 Launch bughttps://launch.corp.google.com/launch/4233200 Estimated milestones Shipping on desktop 117 OriginTrial desktop last 116 OriginTrial desktop first 115 DevTrial on desktop 115 Shipping on Android 117 OriginTrial Android last 116 OriginTrial Android first 115 DevTrial on Android 115 OriginTrial webView last 116 OriginTrial webView first 115 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/4832850040324096 Links to previous Intent discussions https://groups.google.com/a/chromium.org/g/blink-dev/c/ZdpqIOKTHeM https://groups.google.com/a/chromium.org/g/blink-dev/c/rfPtQpqNixk/m/WF3a12okCgAJ This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42JZz%3De_TRVwumqgTj-A7543BR7JLBUR_GzVN_oOWhKVvg%40mail.gmail.com.
