Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!
Office|Office 365|SharePoint

Chrome Makes SharePoint Look Insecure

Chrome Says “No” to SharePoint

Yesterday, I noticed that Chrome started to flag any access to SharePoint Online sites, including those for Delve and OneDrive for Business, as insecure (Figure 1). This is obviously a problem, so I reported the issue to Microsoft. I also raised the issue on Twitter to establish whether this was a common problem and received several responses that others had seen the same symptoms along with many observations as to the potential root cause.

Insecure SharePoint site
Figure 1: Chrome reports a SharePoint site as insecure (image credit: Tony Redmond)

Neither the Internet Explorer nor Edge browsers reported any problem with SharePoint, so Chrome was clearly linked to the issue. Previous experience of a problem in Chrome version 37 (September 2014) when Google removed an API used by OWA heightened my anticipation that something Google did contributed to the problem. For the record, I run version 55.0.2883.87 m (64-bit), the current version of Chrome.

Another clue as to what was going on came from reports that not all Office 365 tenants experienced the problem. When only part of the Office 365 infrastructure has a problem, it’s a sign that the root cause might be an update package that Microsoft is “flighting” within Office 365 datacenter regions, perhaps to a small set of tenants such as those who have signed up for First Release.

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.



Diving Deeper

Of course, when you make an Office 365 service request, you should give as much information as possible about a problem to allow Microsoft to deal with the issue promptly. Clicking the Not Secure button in Chrome reveals the details of why the browser considered SharePoint to be a problem (Figure 2).

SharePoint Chrome errors
Figure 2: Details of why Chrome flagged SharePoint as insecure (image credit: Tony Redmond)

The evidence here is clear. If we view the certificate used to secure the site, we see that it uses SHA-2 (Figure 3). That’s good because SHA-2 is considered to be a secure algorithm.

SharePoint.com SHA-2 certificate
Figure SHA2 is used for the sharepoint.com certificate (image credit: Tony Redmond)

The problem lies in that Chrome reports that the certificate chain (from root authority to web site) contains a certificate signed using SHA-1. As a whole, the industry as a whole has long been convinced of the need to move from SHA-1 to SHA-2. Google influences the web in many ways and used this weight to in signalling its intention to discount SHA-1 certificates as secure and to stop supporting the use of these certificates. Google’s statement says that “starting January 1, 2017 at the latest, Chrome will completely stop supporting SHA-1 certificates.”

Were Warnings Ignored?

With Google’s intentions clear, Microsoft and other web site owners were in no doubt about the need to remove SHA-1 certificates from their sites. As always with large and complex infrastructures, change like this cannot be accomplished overnight. Based on a call with Microsoft support at 1PM (Ireland) on January 17, it seems that an update package for SharePoint deployed by Microsoft inside part of Office 365 was incompatible with the change made by Google in the latest version of Chrome. Any sites updated by the package generated the security warning.

Microsoft is rolling back the update to restore SharePoint Online, OneDrive for Business, Delve, and other sites that use SharePoint (like Office 365 Video) to a secure status, at least in the eyes of Chrome. Other Office 365 sites, like OWA, did not have the same problem. At the time of writing, some of my SharePoint Online sites are reporting that they are secure while others still show up as insecure. The update package is due to be adjusted to take account of the latest Chrome version before Microsoft redeploys it within Office 365.

The full story of why Microsoft did not understand and react to what Google was doing to deprecate SHA-1 through Chrome updates might never emerge. After all, no one wants to own up to ignoring important developments in the industry. However, in this case, we can say that the steps taken by Microsoft to ensure that SharePoint Online continued to work smoothly after Chrome updates was sub-optimal.

To be fair to Microsoft, the security of customer data was never threatened, so it’s really just a case of reputational damage and heightened heart rates for Office 365 administrators.

The episode serves as due warning to those responsible for other web sites – if you want Chrome to treat your site as secure, eliminate SHA-1.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for Petri.com and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with change in the cloud.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By