News

Microsoft Edge and IE To Stop Trusting SHA-1 Certificates This Summer

Microsoft's Internet browsers will stop trusting Web sites using SHA-1 certificates for security, starting this summer.

SHA-1 is a cryptographic algorithm that's used for Internet security, such as with the HTTPS protocol and certificates used to protect Web sites. Researchers have found that SHA-1 encryption can be broken without great cost using a so-called "freestart collision attack" method, which taps graphics accelerator cards.

Consequently, these researchers have urged a faster retirement of SHA-1. The SHA-2 encryption algorithm should be used instead, they say. It isn't affected by the attack.

On Friday, Microsoft further clarified its timeline in reaction to this SHA-1 flaw. Its browsers, Microsoft Edge and Internet Explorer, will no longer show trust for Web sites using SHA-1-signed certificates, starting this summer. These untrusted sites can still be accessed by those browsers, but the "bar lock" trust icon that users see in the address bar of their browsers will not appear.

Moreover, by February 2017, Edge and IE will block access to sites signed with SHA-1 certificates, Microsoft's announcement warned. The company had previously proposed an even more aggressive deprecation timeline of June 2016, but that appears to have been pushed forward.

The summer SHA-1 deprecation will coincide with Microsoft's release of the Windows 10 "anniversary update," which is currently at the preview stage. Microsoft hasn't indicated exactly when the anniversary update will get pushed down as a finished product yet, but it's targeted for a summer release.

The summer policy change will affect Edge on Windows 10, as well as IE on Windows 7, Windows 8.1 and Windows 10. It will only affect Web site certificates "that chain to a CA [certificate authority] in the Microsoft Trusted Root Certificate program," Microsoft's announcement explained.

For testing purposes, Microsoft's announcement provided some scripts to see the effects of the deprecated SHA-1 certificates. Microsoft's most helpful resource for IT pros appears to be this wiki article, which describes how different certificates are affected.

Microsoft has gradually deprecated the use of this insecure technology across its products. It previously announced the disabling of Secure Sockets Layer 3.0 support for its Online Services starting on Dec. 1, 2014. It announced the disabling of SSL 3.0 in Azure Storage in February of last year. The use of the TLS 1.0 protocol instead is the recommended replacement for the flawed SSL 3.0 protocol, which is potentially subject to POODLE-type attacks.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

comments powered by Disqus