Windows 10 Edge, IE: We're now blocking sites signed with SHA-1 certs, says Microsoft

Microsoft drops browser support for HTTPS certificates signed with the SHA-1 hashing algorithm.


Microsoft's browsers will no longer load sites with SHA-1 signed certificates and will warn of a security problem.

Image: Microsoft

With this week's monthly Patch Tuesday, Microsoft has also rolled out a new policy for Edge and Internet Explorer that prevents sites that use a SHA-1-signed HTTPS certificate from loading.

The move brings Microsoft's browsers in line with Chrome, which dropped support for the SHA-1 cryptographic hash function in January's stable release of Chrome 56, and Firefox's February cut-off.

Linus Torvalds on SHA-1 and Git: 'The sky isn't falling'

Yes, SHA-1 has been cracked, but that doesn't mean your code in Git repositories is in any real danger of being hacked.

Read More

The new policy affects sites that haven't moved to SHA-2 signed certificates. Apple dropped support for SHA-1 in March with macOS Sierra 10.12.4 and iOS 10.3.

Browser makers and certificate authorities have been gradually deprecating SHA-1 over the past few years.

The case for sunsetting it was made clearer after researchers at Google and CWI Amsterdam in February revealed a technique for creating a SHA-1 collision, demonstrated with two PDFs containing different content that had the same SHA-1 hash. A secure hashing algorithm shouldn't output the same hash or digest for two different pieces of data.

Once Tuesday's updates are installed, Microsoft's browsers will no longer load sites with SHA-1 signed certificates and will display an error warning highlighting a security problem with the site's certificate.

Microsoft's broader plan to phase out SHA-1 certificates will eventually apply to self-signed SSL/TLS certificates used in the enterprise.

The current policy "will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1".

Microsoft notes in its advisory that self-signed SHA-1 TSL certificates will not be impacted, but it urged all customers to "quickly migrate" to SHA-2 based certificates.

The Windows 10 Creators Update also automatically blocks SHA-1 in the browser. Microsoft flagged these changes in a blogpost in April and offered admins instructions for immediately blocking SHA-1.

Google similarly has offered more flexibility to enterprise self-signed SHA-1 certificates. Chrome 57, released in March, stopped trusting these certificates but it offers enterprise policy setting in Chrome to trust SHA-1 certificates, which will remain an option until January 1, 2019.

Read more

Show Comments