Windows 10 Edge, IE: We're now blocking sites signed with SHA-1 certs, says Microsoft
Microsoft’s browsers will no longer load sites with SHA-1 signed certificates and will warn of a security problem.
Image: Microsoft
With this week’s monthly Patch Tuesday, Microsoft has also rolled out a new policy for Edge and Internet Explorer that prevents sites that use a SHA-1-signed HTTPS certificate from loading.
The move brings Microsoft’s browsers in line with Chrome, which dropped support for the SHA-1 cryptographic hash function in January’s stable release of Chrome 56, and Firefox’s February cut-off.
The new policy affects sites that haven’t moved to SHA-2 signed certificates. Apple dropped support for SHA-1 in March with macOS Sierra 10.12.4 and iOS 10.3.
Browser makers and certificate authorities have been gradually deprecating SHA-1 over the past few years.
The case for sunsetting it was made clearer after researchers at Google and CWI Amsterdam in February revealed a technique for creating a SHA-1 collision, demonstrated with two PDFs containing different content that had the same SHA-1 hash. A secure hashing algorithm shouldn’t output the same hash or digest for two different pieces of data.
Once Tuesday’s updates are installed, Microsoft’s browsers will no longer load sites with SHA-1 signed certificates and will display an error warning highlighting a security problem with the site’s certificate.
Microsoft’s broader plan to phase out SHA-1 certificates will eventually apply to self-signed SSL/TLS certificates used in the enterprise.
The current policy “will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1”.
Microsoft notes in its advisory that self-signed SHA-1 TSL certificates will not be impacted, but it urged all customers to “quickly migrate” to SHA-2 based certificates.
The Windows 10 Creators Update also automatically blocks SHA-1 in the browser. Microsoft flagged these changes in a blogpost in April and offered admins instructions for immediately blocking SHA-1.
Google similarly has offered more flexibility to enterprise self-signed SHA-1 certificates. Chrome 57, released in March, stopped trusting these certificates but it offers enterprise policy setting in Chrome to trust SHA-1 certificates, which will remain an option until January 1, 2019.