Skip to main content

Chrome to Remove Support for SHA-1 Signatures in TLS

Google will be removing support for SHA-1 signatures in TLS in a future release of Chrome (version 117).

SHA-1 is a hash function that has been known to have collisions, which means that it is possible to create two different pieces of data that have the same SHA-1 hash value. This makes it possible for an attacker to impersonate a TLS server by creating a certificate with a SHA-1 signature that matches the signature of a legitimate certificate.

The removal of support for SHA-1 signatures in TLS is a security measure that will help to protect users from this attack. The IETF, the organization that develops the standards for the internet, has deprecated the use of SHA-1 signatures in TLS, and most browsers have already removed support for them.

Chrome will continue to support SHA-1 in client certificates and client signatures for now. However, server operators can and should reject SHA-1 from the client when deploying client certificates. This will help to mitigate the risk of client impersonation attacks.