The statements differ here: Mozilla intends to dispense with SHA-1 certificates from 1 January 2017.
Google classifies websites with SHA-1 certificates valid until or after January 1, 2017 as „secure, but with minor errors“ with Chrome version 39, which will be released in November 2014. You can recognize this by the fact that a lock with a yellow triangle in front of the Internet address indicates obsolete or insecure applications.
With the following Chrome version 40, Google will also treat websites with SHA-1 certificates expiring between June 1 and December 31, 2016 as „secure, but with minor errors“. This browser version classifies SHA-1-signed certificates expiring on or after January 01, 2017 as „neutral, lacking security“. Visually, this classification is displayed as a website without SSL certificates: You will see a white, empty sheet in front of the domain.
In the final step, which is expected to begin with Chrome version 41 in Q1 2015, SHA-1 certificates expiring between 1 January and 31 December 2016 will be classified as secure, but with minor errors. Also with this Chrome version, SHA-1 signed certificates expiring on or after January 1, 2017 will be classified as affirmatively insecure, major errors. Symbolically, Chrome warns of this with a lock with a red cross and a red HTTPS crossed out. The symbols and data can be found in our article.
Microsoft has also taken the floor in this regard: The company from Redmond will continue to allow SHA-1 certificates together with Windows until December 31, 2016, with the exception of SHA-1 certificates for Windows Code Signing. These can only be used until 31 December 2015. As of January 1, 2017, it will no longer be possible to use SHA-1 server, user or sub-CA certificates under Windows.
To make sure that you are up to date with the latest security technology and can call it up without a warning message, we recommend that you make the switch by 31 December 2016 at the latest.