Microsoft recommends against usage of SHA-1

Summary:Redmond software giant issues policy changes inline with US and Australian government agencies.

Microsoft is advising its customers to stop using the SHA-1 hashing algorithm in cryptographic applications such as SSL/TLS encryption and code signing.

In a security advisory issued by the company, Microsoft said that it would stop recognising certificates using the algorithm after January 1, 2016. After this date, certificate authorities (CAs) that issue certificates under the Windows Root Certificate Program will only be able to issue SHA-2 certificates.

According to Microsoft, SHA-1 is used in 98 percent of all certificates issued worldwide. However, it also claims that since 2005 researchers have discovered collision attacks against the algorithm that mean it no longer meets its security standards. Although the announcement to drop SHA-1 comes today, the Australian Signals Directorate (ASD) has been advising government agencies to move to SHA-2 since December 2011.

The ASD also has a slightly different opinion of when the collision attacks were first known, stating that "theoretically impressive attacks" against SHA-1 were known since 2004, but that they were not practical to implement.

ASD has already removed the "weakened but not broken" SHA-1 algorithm from use in its Information Security Manual.

The US National Institute of Standards and Technology, which published the algorithm, also stated in September 2012 that US federal agencies should stop using SHA-1.

Topics: Security, Microsoft


A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.