News

SHA-1 Security Certificates To Be Blocked in IE and Edge

• By Kurt Mackie
• 05/03/2016

Both Microsoft's Internet Explorer and Edge Web browsers will deny SHA-1 certificates for security later this year.

SHA-1 is a cryptographic algorithm that's used for Internet security, such as with the HTTPS protocol and certificates used to protect Web sites. Researchers have found that SHA-1 encryption can be broken without great cost using a so-called "freestart collision attack" method, which taps graphics accelerator cards.

Consequently, these researchers have urged a faster retirement of SHA-1. The SHA-2 encryption algorithm should be used instead, they say. It isn't affected by the attack.

On Friday, Microsoft further clarified its timeline in reaction to this SHA-1 flaw. Its browsers, Microsoft Edge and Internet Explorer, will no longer show trust for Web sites using SHA-1-signed certificates, starting this summer. These untrusted sites can still be accessed by those browsers, but the "bar lock" trust icon that users see in the address bar of their browsers will not appear.

Moreover, by February 2017, Edge and IE will block access to sites signed with SHA-1 certificates, Microsoft's announcement warned. The company had previously proposed an even more aggressive deprecation timeline of June 2016, but that appears to have been pushed forward.

The summer SHA-1 deprecation will coincide with Microsoft's release of the Windows 10 "anniversary update," which is currently at the preview stage. Microsoft hasn't indicated exactly when the anniversary update will get pushed down as a finished product yet, but it's targeted for a summer release.

The summer policy change will affect Edge on Windows 10, as well as IE on Windows 7, Windows 8.1 and Windows 10. It will only affect Web site certificates "that chain to a CA [certificate authority] in the Microsoft Trusted Root Certificate program," Microsoft's announcement explained.

For testing purposes, Microsoft's announcement provided some scripts to see the effects of the deprecated SHA-1 certificates. Microsoft's most helpful resource for IT pros appears to be this wiki article, which describes how different certificates are affected.

Microsoft has gradually deprecated the use of this insecure technology across its products. It previously announced the disabling of Secure Sockets Layer 3.0 support for its Online Services starting on Dec. 1, 2014. It announced the disabling of SSL 3.0 in Azure Storage in February of last year. The use of the TLS 1.0 protocol instead is the recommended replacement for the flawed SSL 3.0 protocol, which is potentially subject to POODLE-type attacks.