It has been known for some time that the SHA-1 hashing algorithm is no longer an effective cryptographic defense against attacks like man-in-the-middle or spoofing. As such, major players in the tech world have been making plans to move away from this algorithm in favor of, at bare minimum, SHA-2 or preferably SHA-3. Many have wondered about the specifics, however, of the transition that companies such as Google and Microsoft intend to make toward stronger encryption apart of users’ lives.
Microsoft, for its part, has recently shed light on its particular plan to enact this transition. In a blog post titled “SHA-1 deprecation countdown,” the Microsoft Edge team stated that the company will block browser access to websites with SHA-1 certificates beginning on Feb. 14, 2017. Should a user of Microsoft Edge or Internet Explorer 11 try to access a site with SHA-1 protection, they will be met with the message below:
As one can see, it is still possible to go to these websites, but you will be strongly advised not to. The Microsoft post also pointed out that this restriction is specifically for “SHA-1 certificates that chain to a Microsoft Trusted Root CA.” They further explain that “manually-installed enterprise or self-signed SHA-1 certificates will not be impacted,” but the Edge team highly encourages “all customers to quickly migrate to SHA-256.”
This is a step in the right direction, but as studies by Venafi have indicated (thanks to Threatpost for pointing me to this study!), roughly 35 percent of public websites are still on SHA-1 certificates. What this indicates is that the industry, as a whole, is not taking the risk posed by obsolete hashing seriously. It is all well and good that companies like Microsoft are blocking access to websites that leave their customers open to attack, but the ultimate goal is a total move away from SHA-1.
This is not to say that SHA-2 or SHA-3 are magic bullets in terms of cryptographic hashes, but they are far safer than their predecessor.
Photo credit: Microsoft, Elekes Andor