Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Microsoft Plans Valentine’s Breakup With SHA-1

Starting on February 14, 2017, Microsoft’s Edge and Internet Explorer 11 web browsers will no longer load sites protected with a SHA-1 certificate, but will instead display an invalid certificate warning.

Starting on February 14, 2017, Microsoft’s Edge and Internet Explorer 11 web browsers will no longer load sites protected with a SHA-1 certificate, but will instead display an invalid certificate warning.

Weaknesses in the 20 year-old crypto algorithm were found over a decade ago, but recent research revealing that collision attacks against SHA-1 are increasingly feasible has forced tech firms to sunset the algorithm sooner than originally planned. Starting in early 2017, most Certificate Authorities (CAs) will no longer issue certs using the SHA-1 cryptographic hash algorithm.

Although the deadline to transition to the more secure SHA-2 and SHA-3 algorithms is looming, research published last week from Venafi revealed that 35% of websites still use SHA-1 certificates. These sites could face disruption in the New Year, as Internet companies and major browser providers will kill support for the algorithm too.

Mozilla was the first browser maker to announce such plans a couple of weeks ago, when it revealed that, starting in Firefox 51, the browser would display an error message when encountering a SHA-1 cert. Both Google and Microsoft followed suit last week, saying that Chrome, Edge, and Internet Explorer 11 will move ahead with deprecating support for the crypto early next year.

For Edge and Internet Explorer 11 users, the change will be visible starting on Valentine’s Day, when they will be met with a warning when such insecure certificates are encountered. However, users will have the option to ignore the warning and continue to the website, Microsoft says.

“The SHA-1 hash algorithm is no longer secure. Weaknesses in SHA-1 could allow an attacker to spoof content, execute phishing attacks, or perform man-in-the-middle attacks when browsing the web. Microsoft, in collaboration with other members of the industry, is working to phase out SHA-1,” Alec Oot and Jody Cloutier, Senior Program Manager, Microsoft Edge Team, reveal.

They also explain that only SHA-1 certificates that chain to a Microsoft Trusted Root CA will be impacted by this change. This means that manually-installed enterprise or self-signed SHA-1 certificates won’t be affected, although all organizations are advised to migrate to SHA-256 as soon as possible.

In the meantime, site admins who believe they might be impacted by the upcoming change can test how their websites will be impacted, as long as they have the latest November 2016 Windows Updates installed, Microsoft says. The company provides a set of instructions on what commands to run for that.

Advertisement. Scroll to continue reading.

Citing “the imminent possibility of attacks that could directly impact the integrity of the Web PKI,” Google too revealed last week that it plans to sunset the old crypto hash algorithm when Chrome 56 would arrive in late Jan. 2017.

“We are planning to remove support for SHA-1 certificates in Chrome 56, which will be released to the stable channel around the end of January 2017. The removal will follow the Chrome release process, moving from Dev to Beta to Stable; there won’t be a date-based change in behavior. Website operators are urged to check for the use of SHA-1 certificates and immediately contact their CA for a SHA-256 based replacement if any are found,” Andrew Whalley, Chrome Security, noted in a blog post.

While Chrome 56 will display an error when encountering a SHA-1 cert, it will do so only for certificates that chain to a public CA. However, the browser won’t block certificates chaining to a locally installed trust anchor next year, support for these will be removed on Jan. 1, 2019, Whalley said.

He also explained that the EnableSha1ForLocalAnchors policy that was introduced in Chrome 54 and which allows for certs that chain to a locally installed trust anchor to continue being used after support has been removed from Chrome, will become mandatory starting with Chrome 57 (March 2017). Thus, organizations will have more time to complete the transition to SHA-256.

Related: 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline

Related: Firefox to Display Error When Encountering SHA-1 Certificates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.