Yesterday, I noticed that Chrome started to flag any access to SharePoint Online sites, including those for Delve and OneDrive for Business, as insecure (Figure 1). This is obviously a problem, so I reported the issue to Microsoft. I also raised the issue on Twitter to establish whether this was a common problem and received several responses that others had seen the same symptoms along with many observations as to the potential root cause.
Neither the Internet Explorer nor Edge browsers reported any problem with SharePoint, so Chrome was clearly linked to the issue. Previous experience of a problem in Chrome version 37 (September 2014) when Google removed an API used by OWA heightened my anticipation that something Google did contributed to the problem. For the record, I run version 55.0.2883.87 m (64-bit), the current version of Chrome.
Another clue as to what was going on came from reports that not all Office 365 tenants experienced the problem. When only part of the Office 365 infrastructure has a problem, it’s a sign that the root cause might be an update package that Microsoft is “flighting” within Office 365 datacenter regions, perhaps to a small set of tenants such as those who have signed up for First Release.
Of course, when you make an Office 365 service request, you should give as much information as possible about a problem to allow Microsoft to deal with the issue promptly. Clicking the Not Secure button in Chrome reveals the details of why the browser considered SharePoint to be a problem (Figure 2).
The evidence here is clear. If we view the certificate used to secure the site, we see that it uses SHA-2 (Figure 3). That’s good because SHA-2 is considered to be a secure algorithm.
The problem lies in that Chrome reports that the certificate chain (from root authority to web site) contains a certificate signed using SHA-1. As a whole, the industry as a whole has long been convinced of the need to move from SHA-1 to SHA-2. Google influences the web in many ways and used this weight to in signalling its intention to discount SHA-1 certificates as secure and to stop supporting the use of these certificates. Google’s statement says that “starting January 1, 2017 at the latest, Chrome will completely stop supporting SHA-1 certificates.”
With Google’s intentions clear, Microsoft and other web site owners were in no doubt about the need to remove SHA-1 certificates from their sites. As always with large and complex infrastructures, change like this cannot be accomplished overnight. Based on a call with Microsoft support at 1PM (Ireland) on January 17, it seems that an update package for SharePoint deployed by Microsoft inside part of Office 365 was incompatible with the change made by Google in the latest version of Chrome. Any sites updated by the package generated the security warning.
Microsoft is rolling back the update to restore SharePoint Online, OneDrive for Business, Delve, and other sites that use SharePoint (like Office 365 Video) to a secure status, at least in the eyes of Chrome. Other Office 365 sites, like OWA, did not have the same problem. At the time of writing, some of my SharePoint Online sites are reporting that they are secure while others still show up as insecure. The update package is due to be adjusted to take account of the latest Chrome version before Microsoft redeploys it within Office 365.
The full story of why Microsoft did not understand and react to what Google was doing to deprecate SHA-1 through Chrome updates might never emerge. After all, no one wants to own up to ignoring important developments in the industry. However, in this case, we can say that the steps taken by Microsoft to ensure that SharePoint Online continued to work smoothly after Chrome updates was sub-optimal.
To be fair to Microsoft, the security of customer data was never threatened, so it’s really just a case of reputational damage and heightened heart rates for Office 365 administrators.
The episode serves as due warning to those responsible for other web sites – if you want Chrome to treat your site as secure, eliminate SHA-1.
Follow Tony on Twitter @12Knocksinna.
Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.