Menu
Microsoft finally bans SHA-1 certificates in Internet Explorer and Edge

Microsoft finally bans SHA-1 certificates in Internet Explorer and Edge

All SHA-1 certificates that chain back to publicly trusted certificate authorities will be blocked, but enterprise and self-signed certificates won't be affected.

The Tuesday updates for Internet Explorer and Microsoft Edge force those browsers to flag SSL/TLS certificates signed with the aging SHA-1 hashing function as insecure. The move follows similar actions by Google Chrome and Mozilla Firefox earlier this year.

Browser vendors and certificate authorities have been engaged in a coordinated effort to phase out the use of SHA-1 certificates on the web for the past few years, because the hashing function no longer provides sufficient security against spoofing.

SHA-1 (Secure Hash Algorithm 1) dates back to 1995 and has been known to be vulnerable to theoretical attacks since 2005. The U.S. National Institute of Standards and Technology has banned the use of SHA-1 by U.S. federal agencies since 2010, and digital certificate authorities have not been allowed to issue SHA-1-signed certificates since Jan. 1, 2016, although some exemptions have been made -- for example, for outdated payment terminals.

A hash function like SHA-1 is used to calculate an alphanumeric string that serves as the cryptographic representation of a file or a piece of data. This is called a digest and can serve as a digital signature. It is supposed to be unique and non-reversible.

In February, researchers from Google and CWI (Centrum Wiskunde & Informatica, a math research center in The Netherlands) have proved the first practical collision attack against SHA-1, producing two PDF files with the same SHA-1 digest. This proved without a doubt that the aging hashing function is effectively broken and should not be used for sensitive applications.

Browser vendors have planned since 2015 to flag SHA-1 certificates as insecure and block them. Google Chrome and Mozilla Firefox used a staged approach: Since early 2016 the browsers blocked SHA-1 certificates issued after Jan. 1, 2016 and since January this year they started blocking all existing SHA-1 certificates, including old ones that have long validity periods.

Chrome version 56, released in January, started blocking all SHA-1 certificates that chain back to publicly trusted certificate authorities. In version 57 it also started blocking SHA-1 certificates that chain back to a local root CA. However, it provides a policy mechanism for organizations to disable this restriction. That's because enterprises might run their own internal certificate infrastructures that rely on self-generated SHA-1 root certificates and cannot easily replace them due to legacy systems that don't support newer hashing functions like SHA-2.

The ban on SHA-1 certificates introduced Tuesday in IE and Edge will only impact certificates that chain to a root certificate in the Microsoft Trusted Root Program, Microsoft said in a security advisory.

Enterprise and self-signed SHA-1 certificates will not be affected for now, but Microsoft's long term plan is to phase out SHA-1 from all usages in Windows, including the function's use for verifying the integrity of downloaded files.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments