Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Microsoft Plans Valentine’s Breakup With SHA-1

Starting on February 14, 2017, Microsoft’s Edge and Internet Explorer 11 web browsers will no longer load sites protected with a SHA-1 certificate, but will instead display an invalid certificate warning.

Starting on February 14, 2017, Microsoft’s Edge and Internet Explorer 11 web browsers will no longer load sites protected with a SHA-1 certificate, but will instead display an invalid certificate warning.

Weaknesses in the 20 year-old crypto algorithm were found over a decade ago, but recent research revealing that collision attacks against SHA-1 are increasingly feasible has forced tech firms to sunset the algorithm sooner than originally planned. Starting in early 2017, most Certificate Authorities (CAs) will no longer issue certs using the SHA-1 cryptographic hash algorithm.

Although the deadline to transition to the more secure SHA-2 and SHA-3 algorithms is looming, research published last week from Venafi revealed that 35% of websites still use SHA-1 certificates. These sites could face disruption in the New Year, as Internet companies and major browser providers will kill support for the algorithm too.

Mozilla was the first browser maker to announce such plans a couple of weeks ago, when it revealed that, starting in Firefox 51, the browser would display an error message when encountering a SHA-1 cert. Both Google and Microsoft followed suit last week, saying that Chrome, Edge, and Internet Explorer 11 will move ahead with deprecating support for the crypto early next year.

For Edge and Internet Explorer 11 users, the change will be visible starting on Valentine’s Day, when they will be met with a warning when such insecure certificates are encountered. However, users will have the option to ignore the warning and continue to the website, Microsoft says.

“The SHA-1 hash algorithm is no longer secure. Weaknesses in SHA-1 could allow an attacker to spoof content, execute phishing attacks, or perform man-in-the-middle attacks when browsing the web. Microsoft, in collaboration with other members of the industry, is working to phase out SHA-1,” Alec Oot and Jody Cloutier, Senior Program Manager, Microsoft Edge Team, reveal.

They also explain that only SHA-1 certificates that chain to a Microsoft Trusted Root CA will be impacted by this change. This means that manually-installed enterprise or self-signed SHA-1 certificates won’t be affected, although all organizations are advised to migrate to SHA-256 as soon as possible.

In the meantime, site admins who believe they might be impacted by the upcoming change can test how their websites will be impacted, as long as they have the latest November 2016 Windows Updates installed, Microsoft says. The company provides a set of instructions on what commands to run for that.

Advertisement. Scroll to continue reading.

Citing “the imminent possibility of attacks that could directly impact the integrity of the Web PKI,” Google too revealed last week that it plans to sunset the old crypto hash algorithm when Chrome 56 would arrive in late Jan. 2017.

“We are planning to remove support for SHA-1 certificates in Chrome 56, which will be released to the stable channel around the end of January 2017. The removal will follow the Chrome release process, moving from Dev to Beta to Stable; there won’t be a date-based change in behavior. Website operators are urged to check for the use of SHA-1 certificates and immediately contact their CA for a SHA-256 based replacement if any are found,” Andrew Whalley, Chrome Security, noted in a blog post.

While Chrome 56 will display an error when encountering a SHA-1 cert, it will do so only for certificates that chain to a public CA. However, the browser won’t block certificates chaining to a locally installed trust anchor next year, support for these will be removed on Jan. 1, 2019, Whalley said.

He also explained that the EnableSha1ForLocalAnchors policy that was introduced in Chrome 54 and which allows for certs that chain to a locally installed trust anchor to continue being used after support has been removed from Chrome, will become mandatory starting with Chrome 57 (March 2017). Thus, organizations will have more time to complete the transition to SHA-256.

Related: 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline

Related: Firefox to Display Error When Encountering SHA-1 Certificates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.