The home stretch of Microsoft’s planned SHA-1 deprecation schedule has arrived. This summer, with the planned release of the Windows 10 Anniversary Update, users should see signs that the weak cryptographic hash function is being phased out.
Microsoft said that once the anniversary update is rolled out, Microsoft Edge and Internet Explorer will no longer display the lock icon in the address bar for any site signed with a SHA-1 certificate.
Developers should see this happening soon in the Windows Insider Preview build, Microsoft said.
Last November, Microsoft hinted that it would starting blocking SHA-1 signed TLS certificates this June, moving up its scheduled deprecation of SHA-1 by more than six months. By February 2017, Microsoft said last week, Edge and IE will block SHA-1 certs outright.
“This update will be delivered to Microsoft Edge on Windows 10 and Internet Explorer 11 on Windows 7, Windows 8.1 and Windows 10, and will only impact certificates that chain to a CA in the Microsoft Trusted Root Certificate program,” Microsoft said in an announcement posted by the Microsoft Edge team. “Both Microsoft Edge and Internet Explorer 11 will provide additional details in the F12 Developer Tools console to assist site administrators and developers.”
Cryptographers and mathematicians have been inching toward practical collision attacks against SHA-1 for close to a decade. Collision attacks happen when two separate inputs for a hash function generate the same hash, allowing an attacker to forge certificates and nudge malware and attacks onto systems as legitimate operations.
Microsoft is not the only technology provider to steer clear of SHA-1. Google, last December, announced its deprecation timeline and already by January of this year, users were seeing error messages displayed if Chrome encountered a SHA-1 signed certificate. It promises that by Jan. 1, 2017—or perhaps by the end of June coinciding with Microsoft’s early deprecation—SHA-1 will be blocked in Chrome.
Mozilla is on the same Jan. 1 2017 timeline as well, after announcing in 2014 that it would no longer trust SHA-1 in Firefox.
The accelerated timelines are a direct result of advances in SHA-1 collision attack research, nudging these attacks from the theoretical to the practical. The final dagger came last October in a paper called “Freestart collision for full SHA-1” that describes how current attacks can be modified to drastically reduce the cost and time to arrive at a SHA-1 collision.
The researchers estimated that their attack could, with modern cloud computing resources, be accomplished in fewer than three months at a cost of up to $120,000 USD. That’s a drastic reduction from a 2012 paper that projected a practical collision would be possible by 2018 at a cost of $143,000. Government or criminal organizations with any measure of decent funding could pull off this type of attack today, experts guess.
Collision attacks against MD5 have been demonstrated in the wild, forcing an accelerated deprecation of that hash function. The most notorious MD5 collision was pulled off by the attackers behind the Flame malware. They were able to leverage the collision to sign malware as if it were coming from Microsoft, and as a result, would be trusted. The Flame attackers used the forged Microsoft digital certificate to perform a man-in-the-middle attack against victims, impersonating the Windows Update mechanism and installing malicious code instead.