MacOS & Safari SHA-1 deprecation policy ?

Hi all,


Does anyone knows if, when and how Safari will deprecate SHA-1 algorithm for websites?


With Sierra update, I noticed that SHA-1 signed certificates websites already appears as insecure (no locker in URL bar).


Will this policy be enforced by completly blocking access to theses websites, starting January 2017 like with Chrome or Firefox?


In the Sierra 10.12 release notes (https://developer.apple.com/library/content/releasenotes/MacOSX/WhatsNewInOSX/Articles/OSXv10.html), under 'Security and Privacy Enhancements' topic, I can read :

'SSLv3 cryptographic protocol and the RC4 symmetric cipher suite are no longer supported, starting at the end of 2016. It's recommended that you stop using the SHA-1 and 3DES cryptographic algorithms as soon as possible.'


Stopping SHA-1 seems to be recommended but not mandatory... until when?


Thanks for all your answers,


Regards,


Sylvain

Up vote post of sylvainfromnantes Down vote post of sylvainfromnantes
1.3k views
Posted by
sylvainfromnantes
Reply
Add a Comment

Replies

AFAIK Apple hasn’t made any specific announcements here. The nearest we’ve come is a general warning in WWDC 2016 Session 706 What’s New in Security.

Speaking personally, you should get off SHA-1 as soon as is feasible, partly because it’s steadily being unsupported by various platform vendors but, most importantly, because it’s not actually secure.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks!

Posted by
sylvainfromnantes
Up vote reply of sylvainfromnantes Down vote reply of sylvainfromnantes
Add a Comment