Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Microsoft Kills SHA-1 Support in Edge, Internet Explorer 11

As of May 9, 2017, Microsoft Edge and Internet Explorer 11 browsers no longer offer support for websites that are protected with a SHA-1 certificate.

As of May 9, 2017, Microsoft Edge and Internet Explorer 11 browsers no longer offer support for websites that are protected with a SHA-1 certificate.

Introduced in 1995, the SHA-1 cryptographic hash function has been proven insecure several times, with the first attacks against it demonstrated over a decade ago. After an attack method that lowered the cost of an SHA-1 collision in 2015, Google demonstrated earlier this year that this type of attacks is becoming increasingly practical.

Over the past few years, the industry has been moving away from SHA-1, yet numerous sites still use it. As of January 2017, most Certificate Authorities have stopped issuing new certificates that use the cryptographic hash function, and only one fifth of websites were still using such certs in March, which is looking much better compared to last fall, when 35% of websites were still using SHA-1.

Other web browsers makers revealed plans to deprecate SHA-1 a couple of years ago, and Microsoft confirmed a year ago plans to make a similar move. Initially, Edge and Internet Explorer 11 would display a warning when encountering sites using SHA-1, but starting this week, they are no longer loading these sites, the tech giant says.

“Beginning May 9, 2017, Microsoft released updates to Microsoft Edge and Internet Explorer 11 to block sites that are protected with a SHA-1 certificate from loading and to display an invalid certificate warning,” the company announced.

The change, however, impacts only SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1. This means that enterprises or self-signed SHA-1 certificates won’t be affected by this. They are, however, encouraged to migrate to SHA-2 based certificates as fast as possible.

“Microsoft recommends that all customers migrate to SHA-2, and the use of SHA-1 as a hashing algorithm for signing purposes is discouraged and is no longer a best practice. The root cause of the problem is a known weakness of the SHA-1 hashing algorithm that exposes it to collision attacks. Such attacks could allow an attacker to generate additional certificates that have the same digital signature as an original,” the company notes.

Mozilla and Google also moved forth with the removal of support for SHA-1 certificates in Firefox and Chrome earlier this year. The ultimate purpose is to completely disable the algorithm in all these browsers.

Related: 1 in 5 Websites Still Use SHA-1: Report

Related: First SHA-1 Collision Attack Conducted by Google, CWI

Related: Apache Subversion System Affected by SHA-1 Collision

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...