Microsoft to remove all SHA-1 Windows downloads next week

Microsoft says file downloads signed with the SHA-1 algorithm are insecure and will be removed on August 3, 2020.
Written by Catalin Cimpanu, Contributor

Microsoft announced this week plans to remove all Windows-related file downloads from the Microsoft Download Center that are cryptographically signed with the Secure Hash Algorithm 1 (SHA-1).

The files will be removed next Monday, on August 3, the company said on Tuesday.

The OS maker cited the security of the SHA-1 algorithm for the move.

"SHA-1 is a legacy cryptographic hash that many in the security community believe is no longer secure. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks," it said.

SHA-1, broken since 2016

Most software companies have recently begun abandoning the SHA-1 algorithm after a team of academics broke the SHA-1 hashing function at a theoretical level in February 2016.

The algorithm was broken in a real-world practical attack in February 2017, when Google cryptographers disclosed SHAttered, a technique that could make two different files appear as they had the same SHA-1 file signature.

At the time, creating an SHA-1 collision was considered computationally expensive, and Google experts thought SHA-1 could still be used in practice for at least half a decade until the cost would go down.

However, subsequent research released in May 2019 and in January 2020, detailed an updated methodology to cut down the cost of an SHA-1 collision attack to under $110,000 and then to under $50,000.

Since 2016, software makers have abandoned SHA-1, mainly for SHA-2. Google removed SHA-1 support from Chrome with the release of Chrome 56, at the end of January 2017; Firefox removed SHA-1 support in Firefox 51, also released at the end of January 2017; and Microsoft dropped support for SHA-1 in Edge and Internet Explorer in mid-2017.

Apple followed by removing SHA-1 from iOS 13 and macOS Catalina, and OpenSSH announced plans to deprecate SHA-1 for its login process earlier this year.

Microsoft, since August 2019, no longer uses SHA-1 to sign and authenticate Windows OS updates. Currently, Microsoft is in the process of replacing SHA-1 with SHA-2 across its products.

However, the OS maker didn't specify if the Windows-related files that are being removed from its downloads center on Monday will be replaced with new download links signed with SHA-2, leaving many too wonder if they'll ever be able to download some of Microsoft's old tools.

Windows tablets through the ages: The good, the bad and the ugly, in pictures

Editorial standards