Microsoft may block SHA-1 certificates sooner than expected

Encrypted sites running old certificates will be inaccessible from modern browsers.
Written by Zack Whittaker, Contributor
(Image: ZDNet/CBS Interactive, file photo)

While about one-in-four encrypted websites are still using weak security certificates, Microsoft is considering taking matters into its own hands.

With the possibility of an attack becoming ever more possible, the software giant said in a blog post that it may consider moving up its deadline of deprecating old SHA1-based security certificates to June 2016.

That means sites running old certificates will be inaccessible, or difficult to access, from modern browsers.

Kyle Pflug, a program manager on Microsoft's Edge browser team, said the software giant "will continue to coordinate with other browser vendors to evaluate the impact of this timeline based on telemetry and current projections for feasibility of SHA1 collisions."

Fellow browser maker Mozilla said last month that it may also deprecate support for older SHA1-based certificates as of July 2016.

The reason companies are getting increasingly concerned about the state of the cryptographic algorithm, which has been widely used across the encrypted web for years, is because some fear it could be cracked by the end of the year. That would essentially make the algorithm useless, weakening security for millions of users.

Research published last month said a well-resourced attacker, such as an intelligence agency, could successfully create an SHA1 collision attack by the end of the year. That would mean a country like the US, Russia, or China -- or even a well-funded hacker -- could impersonate seemingly secure websites.

Researchers previously believed that an SHA1 collision was at least two years away.

The good news is that SHA2, the newer and far stronger cryptographic algorithm, makes up about 75 percent of the encrypted web, and that figure is growing every month.

Certificate authorities said they will respond by no longer issuing SHA1 certificates from 2016, opting instead for SHA2 certificates.

However, many of those in developing nations who are running older software and devices -- including the candy-bar cellphones that have basic mobile internet -- will face a brick wall, because their browser or device will be unable to read the new, more secure certificates.

"We're about to leave a whole chunk of the internet in the past," said CloudFlare chief executive Matthew Prince.

Editorial standards