Microsoft confirmed that Feb. 14, 2017 is the cutoff date for SHA-1 support in its Microsoft Edge and Internet Explorer 11 browsers. After that date, neither browser will immediately load sites still running SHA-1 certificates and users will be shown an invalid certificate warning. Users will also have to take extra steps to reach the site if they so choose.
The move follows Google’s announcement last week that it will remove support for SHA-1 certificates in Chrome 56 that is slated to be released at the end of January. Mozilla also announced a similar deprecation cutoff date for early next year.
SHA-1 (Secure Hash Algorithm 1) has been supported by Google, Firefox and Microsoft browsers for more than a decade. But weaknesses and theoretical collisions have been demonstrated in SHA-1, exposing users to spoofing and man-in-the-middle attacks.
The successor, SHA-2, addresses those concerns. But the industry has a long way to go to update, according to Venafi. It estimates 35 percent of websites (out of 11 million public websites) are still using SHA-1 certificates.
In a blog post, Microsoft said that its transition will impact only SHA-1 certificates that chain to a Microsoft Trusted Root certificate authority. The tech giant also attempted to allay fears over the migration saying manually installed enterprise or self-signed SHA-1 certificates will not be impacted; ensuring a smooth transition for internal corporate sites mostly located behind a company’s firewall.
Microsoft also said that system administrators can get a jump on testing SHA-2 readiness if they are running the November 2016 Windows Updates, including the November 2016 Preview of Monthly Quality Rollups for Windows 7/Windows 8.1. Those users can use Edge and IE 11 to test how their site will be impacted by the SHA-2 migration, Microsoft said.
Additionally, users that visit sites that have missed the Feb. 14, 2017 migration date will also have the option to ignore the certificate error and will be able to continue to the website in question.
Microsoft also clarified concerns around cross-signed certificates explaining that Windows will only check if the thumbprint of the root certificate is in Microsoft Trusted Root Certificate Program. “A certificate cross-signed with a Microsoft Trusted Root that chains to an enterprise/self-signed root would not be impacted by the changes planned for February 2017,” according to Alec Oot and Jody Cloutier both senior program managers at Microsoft.
“Certificate security is critical to a website’s success. All web browsers use certificates to determine what can and can’t be trusted during online transactions. This is particularly critical in transactions that include sensitive data such as ecommerce and online banking,” notes Venafi’s Scott Carter in a recent post regarding SHA-1 depreciation.
Consequences to website owners that don’t migrate include visitors being warned of visiting insecure websites and being urged to look elsewhere for content. Browsers will not display a “green padlock” in the address bar and some sites could experience performance problems, according to Venafi.
“Either a third of websites are frantically scrambling to replace their SHA-1 certificates or they are blissfully unaware that they may still have SHA-1 certificates they have not yet located,” Carter wrote. “I doubt that many of these websites are still unaware of the consequences.”