Windows 10 Edge, IE: We're now blocking sites signed with SHA-1 certs, says Microsoft

Microsoft drops browser support for HTTPS certificates signed with the SHA-1 hashing algorithm.
Written by Liam Tung, Contributing Writer

Microsoft's browsers will no longer load sites with SHA-1 signed certificates and will warn of a security problem.

Image: Microsoft

With this week's monthly Patch Tuesday, Microsoft has also rolled out a new policy for Edge and Internet Explorer that prevents sites that use a SHA-1-signed HTTPS certificate from loading.

The move brings Microsoft's browsers in line with Chrome, which dropped support for the SHA-1 cryptographic hash function in January's stable release of Chrome 56, and Firefox's February cut-off.

The new policy affects sites that haven't moved to SHA-2 signed certificates. Apple dropped support for SHA-1 in March with macOS Sierra 10.12.4 and iOS 10.3.

Browser makers and certificate authorities have been gradually deprecating SHA-1 over the past few years.

The case for sunsetting it was made clearer after researchers at Google and CWI Amsterdam in February revealed a technique for creating a SHA-1 collision, demonstrated with two PDFs containing different content that had the same SHA-1 hash. A secure hashing algorithm shouldn't output the same hash or digest for two different pieces of data.

Once Tuesday's updates are installed, Microsoft's browsers will no longer load sites with SHA-1 signed certificates and will display an error warning highlighting a security problem with the site's certificate.

Microsoft's broader plan to phase out SHA-1 certificates will eventually apply to self-signed SSL/TLS certificates used in the enterprise.

The current policy "will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1".

Microsoft notes in its advisory that self-signed SHA-1 TSL certificates will not be impacted, but it urged all customers to "quickly migrate" to SHA-2 based certificates.

The Windows 10 Creators Update also automatically blocks SHA-1 in the browser. Microsoft flagged these changes in a blogpost in April and offered admins instructions for immediately blocking SHA-1.

Google similarly has offered more flexibility to enterprise self-signed SHA-1 certificates. Chrome 57, released in March, stopped trusting these certificates but it offers enterprise policy setting in Chrome to trust SHA-1 certificates, which will remain an option until January 1, 2019.

Read more

Editorial standards