Lost in yesterday’s shuffle of emergency updates and regularly scheduled monthly patches was Microsoft’s announcement that it was officially cutting off SHA-1 support in Internet Explorer 11 and Edge.
Going forward, both browsers will block webpages signed with a SHA-1 TLS or SSL certificate from loading and users will be shown a warning about an invalid certificate.
SHA-1 has long been earmarked for deprecation and other major browsers such as Chrome and Firefox have already taken similar measures to prevent the loading of sites signed with the broken hash function.
Crypto experts have warned users for close to a decade that SHA-1 was theoretically broken and the likelihood of a real-world, practical collision attack was imminent. In February, researchers from Google and the Cryptology Group at Centrum Wiskunde and Informatica (CWI) published a paper called SHAttered that described the first such attack.
The attack carried out by the researchers involved one of the largest computations ever completed and required nine quintillion SHA-1 computations and 6,500 years of CPU time to complete the first of two phases of the attack. In the end, the researchers were able to derive the SHA-1 hash of a PDF file, and use it to abuse a second. No two hash files should ever match, and by arriving at collision, an attacker could trick a system into accepting a malicious file instead of the intended one.
Microsoft said yesterday in an advisory that enterprise or self-signed SHA-1 certs will not be impacted, but reinforced a long-standing recommendation that users migrate to SHA-2 signed certs.
“This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1,” Microsoft said.
Last November, Microsoft had set a Feb. 14 deadline for SHA-1 support in its browsers, but said it April that it would finally cross the finish line yesterday. Microsoft also said that the Windows 10 Creators Update also blocks SHA-1 by default.
Mozilla and Google have already implemented similar steps, starting in January. The browser makers accelerated their plans to deprecate the hash function as new research surfaced that increased the likelihood of a collision before early 2018 projections. A 2015 paper from CWI and Nanyang Technological University of Singapore described tweaks to known attacks against SHA-1 that could theoretically reduce the time required to generate a collision.
In 2012, experts projected that practical collisions would arrive by 2018 and cost $700,000 and continue to freefall given the declining costs of CPU time. Those totals, at the time, were well within reach of nation-state actors and even some well-funded criminal outfits.
The 2015 paper, however, sliced into those projections and cut significantly into the time necessary to generate a collision (78 days) and brought the cost to under $120,000 USD.
A Threatpost report in January found that only 536 of the Alexa top 1 million websites were still running SHA-1, and experts called the migration away from the hash function “an unmitigated success.”