Magento and upcoming SSL requirements
At the end of January, Google will release Chrome 56 with two important changes:
- Sites using SHA1 SSL certificates will be blocked
- Sites accepting passwords or credit cards without SSL will show a warning
Other browsers such as Firefox have also announced stricter SSL handling.
Old SHA1 SSL certificates
Old SSL certificates use SHA1 hashing, which is considered insecure. New certificates use SHA256 or even SHA512. The quest to eliminate insecure SSL certificates has been going on for a few years. Browsers have displayed incrementally intrusive warnings. The latest Chrome warning is a red mark in your address bar:
But from January onwards, Chrome 56 will actually block you from visiting the site.
Half a year ago I wrote that 37.000 Magento sites were using insecure SSL certificates. Now, that was an awful lot. The good news is that certificates have to be renewed periodically, and SSL providers have not handed out insecure certs since 2016.
So what is the verdict today? I have reran my scan of all 305K known Magento stores globally and detected .. only 432 stores with outdated SSL! These stores have an old insecure certificate with multi-year validity (beyond 2016) and their owners probably forgot about them.
To summarize, less than 0.2% of Magento stores will break once Google releases Chrome 56. I think that is an amazing result.
No SSL at all
Until now, Chrome showed a small exclamation mark for non-SSL stores. Chrome 56 will show a slightly bigger warning:
While this isn’t exactly terrifying yet, it will hopefully encourage a couple more store owners to go SSL-only. Because that isn’t quite commonplace: out of 305.000 Magento stores, only 31.000 (<11%) enforce SSL site-wide.
In June 2017 I will run a new scan. How many Magento sites will be HTTPS only by then? Place your bet in the comments below.