Menu
Microsoft finally bans SHA-1 certificates in Internet Explorer and Edge

Microsoft finally bans SHA-1 certificates in Internet Explorer and Edge

All SHA-1 certificates that chain back to publicly trusted certificate authorities will be blocked, but enterprise and self-signed certificates won't be affected.

The Tuesday updates for Internet Explorer and Microsoft Edge force those browsers to flag SSL/TLS certificates signed with the aging SHA-1 hashing function as insecure. The move follows similar actions by Google Chrome and Mozilla Firefox earlier this year.

Browser vendors and certificate authorities have been engaged in a coordinated effort to phase out the use of SHA-1 certificates on the web for the past few years, because the hashing function no longer provides sufficient security against spoofing.

SHA-1 (Secure Hash Algorithm 1) dates back to 1995 and has been known to be vulnerable to theoretical attacks since 2005. The U.S. National Institute of Standards and Technology has banned the use of SHA-1 by U.S. federal agencies since 2010, and digital certificate authorities have not been allowed to issue SHA-1-signed certificates since Jan. 1, 2016, although some exemptions have been made -- for example, for outdated payment terminals.

A hash function like SHA-1 is used to calculate an alphanumeric string that serves as the cryptographic representation of a file or a piece of data. This is called a digest and can serve as a digital signature. It is supposed to be unique and non-reversible.

In February, researchers from Google and CWI (Centrum Wiskunde & Informatica, a math research center in The Netherlands) have proved the first practical collision attack against SHA-1, producing two PDF files with the same SHA-1 digest. This proved without a doubt that the aging hashing function is effectively broken and should not be used for sensitive applications.

Browser vendors have planned since 2015 to flag SHA-1 certificates as insecure and block them. Google Chrome and Mozilla Firefox used a staged approach: Since early 2016 the browsers blocked SHA-1 certificates issued after Jan. 1, 2016 and since January this year they started blocking all existing SHA-1 certificates, including old ones that have long validity periods.

Chrome version 56, released in January, started blocking all SHA-1 certificates that chain back to publicly trusted certificate authorities. In version 57 it also started blocking SHA-1 certificates that chain back to a local root CA. However, it provides a policy mechanism for organizations to disable this restriction. That's because enterprises might run their own internal certificate infrastructures that rely on self-generated SHA-1 root certificates and cannot easily replace them due to legacy systems that don't support newer hashing functions like SHA-2.

The ban on SHA-1 certificates introduced Tuesday in IE and Edge will only impact certificates that chain to a root certificate in the Microsoft Trusted Root Program, Microsoft said in a security advisory.

Enterprise and self-signed SHA-1 certificates will not be affected for now, but Microsoft's long term plan is to phase out SHA-1 from all usages in Windows, including the function's use for verifying the integrity of downloaded files.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

Reseller News Innovation Awards 2018: meet the top performing partners

Reseller News Innovation Awards 2018: meet the top performing partners

Reseller News honoured the industry’s finest on a standout evening for the New Zealand channel, recognising the achievements of established partners, emerging players and innovative start-ups, in front of over 460 technology leaders in Auckland.

Reseller News Innovation Awards 2018: meet the top performing partners
Champagne Reception kicks off Reseller News Innovation Awards 2018

Champagne Reception kicks off Reseller News Innovation Awards 2018

More than 460 channel leaders came together to toast the top performers of the New Zealand industry, during the opening Champagne Reception at the Reseller News Innovation Awards 2018 - in association with Techbuyer.

Champagne Reception kicks off Reseller News Innovation Awards 2018
Chasing innovation: how Kiwi partners can create a new customer agenda

Chasing innovation: how Kiwi partners can create a new customer agenda

This exclusive Reseller News Roundtable - in association with Rhipe and Microsoft - detailed a blueprint for customer success, outlining the new role of the modern-day partner and wider network in New Zealand.

Chasing innovation: how Kiwi partners can create a new customer agenda
Show Comments