Microsoft to phase out SHA-1 certificate support from June 2016
Microsoft has announced that it will start deprecating SHA-1 certificates in a year’s time.
The Redmond company is following in the footsteps of Mozilla, the developer of the acclaimed browser, Firefox.
If you are thinking that it shouldn’t matter much, you could be right, because by the time it happens, the certification system could be extinct. SHA-1 is short for Secure Hash Algorithm 1, which is a cryptographic certification protocol, which validates the authenticity of a website.
Mozilla announced its intention to phase out SHA-1 certificates a year ago, in September 2014. The browser maker made it loud and clear that the websites which used the certificates, were prone to attacks. SHA-1 isn’t something new, it has been around for 20 years, and it has certainly become obsolete. It has already been superseded by SHA-2, SHA-3.
SHA-1’s security protocol is weak, and a website using it, can easily be hacked and replaced with a fake certificate. This could go unnoticed by the browser, which in turn puts the user’s security at great risk. And this is why the certification method should be abandoned. Unfortunately, many websites continue to rely on it, so browsers cannot block them all right away. They need to move on to a more recent one to stay secure, and this is why browser makers are giving them a year’s time to do so.
Last month, Mozilla announced that it is continuing on its mission to denounce SHA-1 in its browser. Beginning from Firefox 43, the browser will begin to show a security warning, to warn the user, that the website has an “Untrusted Connection”. This will only occur if the website has a SHA-1 certificate which has a “ValidFrom” after Jan 1, 2016.
Microsoft on the other hand, originally announced that it will begin ending support for SHA-1 from January 1, 2017, which is a whole year later after Mozilla does. Maybe the Redmond company thought it was playing it safe? But now, Microsoft says it is considering phasing out SHA-1 support from June 2016 itself. So the company’s browsers will start blocking the pages which still rely on the seriously outdate protocol.
This change of decision was apparently impacted by recent attacks on websites which still use SHA-1, Microsoft reveals in the official announcement.
Google isn’t standing by and going to watch it. The Mountain View company, announced last year that it will also display HTTPS sites which rely on a SHA-1 certificate, as not fully trustworthy, in its Chrome browser.