New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Chrome Makes SharePoint Look Insecure

Chrome Says “No” to SharePoint

Yesterday, I noticed that Chrome started to flag any access to SharePoint Online sites, including those for Delve and OneDrive for Business, as insecure (Figure 1). This is obviously a problem, so I reported the issue to Microsoft. I also raised the issue on Twitter to establish whether this was a common problem and received several responses that others had seen the same symptoms along with many observations as to the potential root cause.

Insecure SharePoint site — Figure 1: Chrome reports a SharePoint site as insecure (image credit: Tony Redmond)

Neither the Internet Explorer nor Edge browsers reported any problem with SharePoint, so Chrome was clearly linked to the issue. Previous experience of a problem in Chrome version 37 (September 2014) when Google removed an API used by OWA heightened my anticipation that something Google did contributed to the problem. For the record, I run version 55.0.2883.87 m (64-bit), the current version of Chrome.

Another clue as to what was going on came from reports that not all Office 365 tenants experienced the problem. When only part of the Office 365 infrastructure has a problem, it’s a sign that the root cause might be an update package that Microsoft is “flighting” within Office 365 datacenter regions, perhaps to a small set of tenants such as those who have signed up for First Release.

Diving Deeper

Of course, when you make an Office 365 service request, you should give as much information as possible about a problem to allow Microsoft to deal with the issue promptly. Clicking the Not Secure button in Chrome reveals the details of why the browser considered SharePoint to be a problem (Figure 2).

SharePoint Chrome errors — Figure 2: Details of why Chrome flagged SharePoint as insecure (image credit: Tony Redmond)

The evidence here is clear. If we view the certificate used to secure the site, we see that it uses SHA-2 (Figure 3). That’s good because SHA-2 is considered to be a secure algorithm.

SharePoint.com SHA-2 certificate — Figure SHA2 is used for the sharepoint.com certificate (image credit: Tony Redmond)

The problem lies in that Chrome reports that the certificate chain (from root authority to web site) contains a certificate signed using SHA-1. As a whole, the industry as a whole has long been convinced of the need to move from SHA-1 to SHA-2. Google influences the web in many ways and used this weight to in signalling its intention to discount SHA-1 certificates as secure and to stop supporting the use of these certificates. Google’s statement says that “starting January 1, 2017 at the latest, Chrome will completely stop supporting SHA-1 certificates.”

Were Warnings Ignored?

With Google’s intentions clear, Microsoft and other web site owners were in no doubt about the need to remove SHA-1 certificates from their sites. As always with large and complex infrastructures, change like this cannot be accomplished overnight. Based on a call with Microsoft support at 1PM (Ireland) on January 17, it seems that an update package for SharePoint deployed by Microsoft inside part of Office 365 was incompatible with the change made by Google in the latest version of Chrome. Any sites updated by the package generated the security warning.

Microsoft is rolling back the update to restore SharePoint Online, OneDrive for Business, Delve, and other sites that use SharePoint (like Office 365 Video) to a secure status, at least in the eyes of Chrome. Other Office 365 sites, like OWA, did not have the same problem. At the time of writing, some of my SharePoint Online sites are reporting that they are secure while others still show up as insecure. The update package is due to be adjusted to take account of the latest Chrome version before Microsoft redeploys it within Office 365.

The full story of why Microsoft did not understand and react to what Google was doing to deprecate SHA-1 through Chrome updates might never emerge. After all, no one wants to own up to ignoring important developments in the industry. However, in this case, we can say that the steps taken by Microsoft to ensure that SharePoint Online continued to work smoothly after Chrome updates was sub-optimal.

To be fair to Microsoft, the security of customer data was never threatened, so it’s really just a case of reputational damage and heightened heart rates for Office 365 administrators.

The episode serves as due warning to those responsible for other web sites – if you want Chrome to treat your site as secure, eliminate SHA-1.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.

by Tony Redmond
Jan 17, 2017

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for Petri.com and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with c...

Microsoft and AI: What Is the Copilot Semantic Index and How Does It Work?

Feb 6, 2024
Mar 21, 2024
How to Grant Full Mailbox Access to Users in Office 365 and Exchange Server

Aug 4, 2023
Aug 08, 2023
Nested Microsoft 365 Groups: What You Need to Know

Jul 12, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.