On Wed, Jun 7, 2023 at 7:15 PM 'David Adrian' via blink-dev < blink-dev@chromium.org> wrote:
> Contact emailsdadr...@google.com > > ExplainerNone > > Specificationhttps://www.rfc-editor.org/rfc/rfc9155.html > > Summary > > Chrome is removing support for signature algorithms using SHA-1 for server > signatures during the TLS handshake. This does not affect SHA-1 support in > server certificates, which was already removed, or in client certificates, > which continues to be supported. > > > This feature can be controlled by > chrome://flags/#use-sha1-server-handshakes flag and the > https://chromeenterprise.google/policies/#InsecureHashesInTLSHandshakesEnabled > enterprise policy. > > > Blink componentInternals>Network>SSL > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3ESSL> > > Search tagstls <https://chromestatus.com/features#tags:tls>, ssl > <https://chromestatus.com/features#tags:ssl>, sha1 > <https://chromestatus.com/features#tags:sha1> > > TAG reviewNone > > TAG review statusNot applicable > > Risks > > > Interoperability and Compatibility > > At most 0.02% of page loads use the SHA1 fallback. However, we cannot > disambiguate between a flaky first connection, and actually requiring SHA1. > We expect the actual amount is lower. > 0.02% sounds like a lot. Is there a way to get a tighter estimate of potential breakage? > > > *Gecko*: No signal ( > https://github.com/mozilla/standards-positions/issues/812) > > *WebKit*: No signal ( > https://github.com/WebKit/standards-positions/issues/196) > > *Web developers*: No signals > > *Other signals*: > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > None > > > Goals for experimentation > > Since this takes place before a document is loaded, sites cannot opt-in. > We plan on doing a 1% stable experiment and monitoring any increase in page > load failures and SSL failures. > > Ongoing technical constraints > > > > Debuggability > > n/a, this happens pre-devtools > > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, Chrome OS, Android, and Android WebView)?Yes > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ?No > > Flag nameuse-sha1-server-handshakes > > Requires code in //chrome?False > > Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=658905 > > Launch bughttps://launch.corp.google.com/launch/4233200 > > Estimated milestones > Shipping on desktop 117 > DevTrial on desktop 115 > Shipping on Android 117 > DevTrial on Android 115 > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/4832850040324096 > > Links to previous Intent discussions > https://groups.google.com/a/chromium.org/g/blink-dev/c/rfPtQpqNixk/m/WF3a12okCgAJ > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BEWSvOO%3D4QhGfWnRC6Q03VTqrQjPfypFKzwU7aZXGwSQ%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BEWSvOO%3D4QhGfWnRC6Q03VTqrQjPfypFKzwU7aZXGwSQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfXb%2BN3EnqXO6JSQLKyTmEsL_SoCbm-5nk1zGp6LM608Lg%40mail.gmail.com.