Coming February, 14th 2017, Microsoft will have support for SHA – 1 certificates removed completely for its browser. Yes, SHA – 1, once a very popular hashing function, is on the way out. Microsoft had earlier announced its final deprecation deadlines for its browser in April this year.
SHA-1 or Secure Hash Algorithm 1 is a cryptographic hash function designed by the United States National Security Agency and published by the United States NIST. Weaknesses in SHA-1 could allow an attacker to spoof content, execute Phishing attacks, or perform Man-in-the-middle attacks when browsing the web and hence there is an initiative to migrate from SHA-1 to SHA-256 (SHA-2) to better secure websites, intranet communications, and applications.
Microsoft to deprecate SHA-1 in Edge & IE
Starting on February 14th, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning, said Microsoft.
With the move coming into effect, it will be mandatory for all the websites running on Edge browser to replace SHA-1 certificates as soon as possible. Microsoft Edge on Windows 10 and Internet Explorer 11 on other lower versions of Windows OS will stop websites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Nevertheless, users will have the option to ignore the error and continue to the website.
After February 2017, Microsoft will start warning consumers about the risk of downloading software that is signed using a SHA-1 certificate.
The update will be delivered to Microsoft Edge on Windows 10 and Internet Explorer 11 on Windows 7, Windows 8.1 and Windows 10, and will only impact certificates that chain to a CA in the Microsoft Trusted Root Certificate program.
Not only Microsoft but other tech giants too, like Google are working in collaboration to phase out SHA-1. Additional information on Microsoft’s overall SHA-1 deprecation plans can be found on TechNet.