14 DAY TRIAL // One year after Mozilla announced plans to phase out digital certificates signed with the SHA-1 algorithm, SHA-1 usage has gone down significantly, from over 50 percent last year to 3.5 percent in May 2016, and to only 0.8 percent of all encrypted traffic this month, according to Firefox telemetry data.
As such, Mozilla announced today that, starting with Firefox 51, the browser will show an "Untrusted Connection" error whenever an SHA-1 certificate is encountered.
Firefox 51 is set for release in January 2017 and falls in line with Mozilla's initial plan of blacklisting SHA-1 certificates by early 2017.
Mozilla led the way for SHA-1 deprecation
Mozilla was the leading force behind the process of SHA-1 deprecation after researchers from universities in Holland and France proved it was far much cheaper than expected to break SHA-1 encryption last autumn.
After Mozilla had laid out its SHA-1 deprecation timeline, both Google and Microsoft followed suite, and the plan became official after NIST (National Institute of Standards and Technology) gave its blessing.
Since January 1, 2016, browser vendors have banned Certificate Authorities (CAs) from issuing new SSL/TLS certificates signed with the SHA-1 algorithm.
SHA-1 deprecation almost complete
There were some exceptions and even some controversies, but in most cases, CAs respected the SHA-1 ban, and SHA-1's decreasing market share is a testament to their work.
As of now, old certificates signed with SHA-1 are still marked as trusted, but starting with January 1, 2017, and later, browser vendors plan to mark HTTPS connections as insecure, regardless of the date when the SHA-1-signed certificate was issued.
For special cases, such as Intranet sites and other closed networks, J.C. Jones, Crypto Engineer for Mozilla, has said that Firefox won't show this warning if SHA-1 certificates chain up to a manually-imported root certificate.
In December 2015, Facebook and Cloudflare urged browser vendors to allow CAs to issue SHA-1 certificates but only for usage in older browsers where SHA-2 or other algorithms are not supported. Their proposition was largely ignored, despite making a lot of sense.