Contact emailsdadr...@google.com ExplainerNone
Specificationhttps://www.rfc-editor.org/rfc/rfc9155.html Summary Chrome is removing support for signature algorithms using SHA-1 for server signatures during the TLS handshake. This does not affect SHA-1 support in server certificates, which was already removed, or in client certificates, which continues to be supported. This feature can be controlled by chrome://flags/#use-sha1-server-handshakes flag and the https://chromeenterprise.google/policies/#InsecureHashesInTLSHandshakesEnabled enterprise policy. Blink componentInternals>Network>SSL <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3ESSL> Search tagstls <https://chromestatus.com/features#tags:tls>, ssl <https://chromestatus.com/features#tags:ssl>, sha1 <https://chromestatus.com/features#tags:sha1> TAG reviewNone TAG review statusNot applicable Risks Interoperability and Compatibility At most 0.02% of page loads use the SHA1 fallback. However, we cannot disambiguate between a flaky first connection, and actually requiring SHA1. We expect the actual amount is lower. *Gecko*: No signal ( https://github.com/mozilla/standards-positions/issues/812) *WebKit*: No signal ( https://github.com/WebKit/standards-positions/issues/196) *Web developers*: No signals *Other signals*: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Goals for experimentation Since this takes place before a document is loaded, sites cannot opt-in. We plan on doing a 1% stable experiment and monitoring any increase in page load failures and SSL failures. Ongoing technical constraints Debuggability n/a, this happens pre-devtools Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?Yes Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?No Flag nameuse-sha1-server-handshakes Requires code in //chrome?False Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=658905 Launch bughttps://launch.corp.google.com/launch/4233200 Estimated milestones Shipping on desktop 117 DevTrial on desktop 115 Shipping on Android 117 DevTrial on Android 115 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/4832850040324096 Links to previous Intent discussions https://groups.google.com/a/chromium.org/g/blink-dev/c/rfPtQpqNixk/m/WF3a12okCgAJ This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BEWSvOO%3D4QhGfWnRC6Q03VTqrQjPfypFKzwU7aZXGwSQ%40mail.gmail.com.