Microsoft to remove all SHA-1 Windows downloads next week

Microsoft says file downloads signed with the SHA-1 algorithm are insecure and will be removed on August 3, 2020.

microsoft-march-2020-patch-tuesday-fixes-5e6a4fb210393e000182bb8f-1-mar-16-2020-16-46-38-poster.jpg

Windows 10 security: 'So good, it can block zero-days without being patched'

Systems running the Windows 10 Anniversary Update were shielded from two exploits even before Microsoft had issued patches for them, its researchers have found.

Read More

Microsoft announced this week plans to remove all Windows-related file downloads from the Microsoft Download Center that are cryptographically signed with the Secure Hash Algorithm 1 (SHA-1).

The files will be removed next Monday, on August 3, the company said on Tuesday.

The OS maker cited the security of the SHA-1 algorithm for the move.

"SHA-1 is a legacy cryptographic hash that many in the security community believe is no longer secure. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks," it said.

SHA-1, broken since 2016

Most software companies have recently begun abandoning the SHA-1 algorithm after a team of academics broke the SHA-1 hashing function at a theoretical level in February 2016.

The algorithm was broken in a real-world practical attack in February 2017, when Google cryptographers disclosed SHAttered, a technique that could make two different files appear as they had the same SHA-1 file signature.

At the time, creating an SHA-1 collision was considered computationally expensive, and Google experts thought SHA-1 could still be used in practice for at least half a decade until the cost would go down.

However, subsequent research released in May 2019 and in January 2020, detailed an updated methodology to cut down the cost of an SHA-1 collision attack to under $110,000 and then to under $50,000.

Since 2016, software makers have abandoned SHA-1, mainly for SHA-2. Google removed SHA-1 support from Chrome with the release of Chrome 56, at the end of January 2017; Firefox removed SHA-1 support in Firefox 51, also released at the end of January 2017; and Microsoft dropped support for SHA-1 in Edge and Internet Explorer in mid-2017.

Apple followed by removing SHA-1 from iOS 13 and macOS Catalina, and OpenSSH announced plans to deprecate SHA-1 for its login process earlier this year.

Microsoft, since August 2019, no longer uses SHA-1 to sign and authenticate Windows OS updates. Currently, Microsoft is in the process of replacing SHA-1 with SHA-2 across its products.

However, the OS maker didn't specify if the Windows-related files that are being removed from its downloads center on Monday will be replaced with new download links signed with SHA-2, leaving many too wonder if they'll ever be able to download some of Microsoft's old tools.