SHA-1 certificates issued before this date will continue to be trusted until at least July 1, 2016, depending on the browser, but no later than Jan. SHA-1, an aging hashing algorithm, is in the process of being phased out because it is theoretically vulnerable to attacks that could result in forged digital certificates and it's only a matter of time before someone gains the capability to do so.Īs a result, the CA/Browser Forum, a group of certificate authorities and browser makers that sets guidelines for the issuance and use of digital certificates, decided that new SHA-1-signed certificates should not be issued after Jan. The root certificates of those CAs are not trusted by default, so they need to be manually deployed on the computers and devices whose traffic is to be intercepted, so that users' browsers will trust the mock website certificates signed with them. Such applications and systems re-encrypt the traffic between users and websites by creating new certificates for those connections using self-generated CAs (certificate authorities). Many antivirus programs also inspect HTTPS traffic locally on computers using man-in-the-middle techniques in order to detect whether malware is being served through such connections.
However, it has some acceptable uses.įor example, some companies might install HTTPS traffic inspection devices at the network perimeter to ensure that sensitive corporate data is not leaked over encrypted traffic.
Man-in-the-middle HTTPS traffic interception is generally frowned upon by privacy advocates because it breaks the trust between users and servers and because, if done incorrectly, can expose users to serious attacks.