Microsoft SHA-1 Deprecation Plan - User's Guide

  • Article

Today, many in the security community believe SHA-1 hash algorithm is a legacy cryptographic and is no longer secure. An attacker may utilize weaknesses in SHA-1 to perform the man-in-the middle attacks, spoof the content, or perform phishing.

As announced in Microsoft Advisory and Microsoft Edge Official Blog, Microsoft, in collaboration with other members of the industry including various browser venders, is taking gradual steps to deprecate SHA-1 and warn users of the possible risk when they encounter websites using the SHA-1 certificate.

We have already started to remove the “lock icon” from the address bar in Microsoft Edge and Internet Explorer when browsing the websites with SHA-1 Certificate.

Update: We are updating our timelines to deprecate SHA-1 by mid-2017 May 2017 to ensure compliance in all configurations and scenarios for Microsoft Edge and Internet Explorer 11. At that time, these browsers will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Additionally, the next release of Windows 10 will block SHA-1 by-default in the browser. Customers who would like to disable SHA-1 today may do so with the instructions in the Microsoft Edge Developer Blog Update: On May 9, 2017, Microsoft will release an update to Microsoft Edge and Internet Explorer that will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Additionally, the Windows 10 Creators Update blocks SHA-1 by-default in the browser.

Update: Security Advisory 4010323 Deprecation of SHA-1 for SSL/TLS Certificates

Beginning May 9, 2017, Microsoft released updates to Microsoft Edge and Internet Explorer 11 to block sites that are protected with a SHA-1 certificate from loading and to display an invalid certificate warning. This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1.

Enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend that all customers quickly migrate to SHA-2 based certificates.

Please review security advisory 4010323 for more details about the issue, a complete list of affected software, answers to frequently asked questions, and links to additional resources.

Security Advisory 4010323: https://technet.microsoft.com/library/security/4010323

Knowledge Base Article 4010323: https://support.microsoft.com/kb/4010323

 

For more information, please see Windows Enforcement of SHA1 Certificates.

 

 

This post is to provide summary of the SHA-1 deprecation with infographics and user’s guidance to help you test ahead of time.

If you are a website administrator, please check your site to make sure your site won't be alerted .

For the latest information, please see https://aka.ms/sha1

 

- Yurika Kakiuchi,  Security Program Manager,Customer Service & Support

 

 

 

sha1update_201705-1

 

 

sha1update_201705-2