Skip to main content
banner image
venafi logo

Still Using SHA-1 for Internal Certificates? It’s Almost Too Late to Update

Still Using SHA-1 for Internal Certificates? It’s Almost Too Late to Update

SHA-1 migration SHA-2 Microsoft
March 18, 2019 | Guest Blogger: Anastasios Arampatzis

How many organizations may have overlooked or delayed the migrations of SHA-1 certificates in internal environments? They are hard to find, hard to track, and harder to monitor and may not have expiration dates that would drive migration.

Everyone who didn’t feel they had to worry too much about replacing those hard-to-find internal SHA-1 certificates will now have to start worrying. Microsoft is in the process of phasing out the use of the Secure Hash Algorithm 1 (SHA-1) code-signing encryption to deliver Windows OS updates. On February 15th, 2018 Microsoft announced that customers running legacy OS versions will be required to have SHA-2 code-signing support installed on their devices by July 2019.

“Due to weaknesses in the SHA-1 algorithm and to align to industry standards, Microsoft will only sign Windows updates using the more secure SHA-2 algorithm exclusively [after July 19],” reads the notice. “Any devices without SHA-2 support will not be offered Windows updates after July 2019.” Starting in early 2019, the migration process to SHA-2 support will occur in stages, and support will be delivered in standalone updates.

What does this mean? Simply, no SHA-2 support, no more updates. This roll out planning affects users of Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2008 SP2, and some older versions of Windows Server Update Services.

For the time being, Windows uses both the SHA-1 and SHA-2 hash algorithms to authenticate its updates and prevent tampering by man-in-the-middle attacks, with newer systems supporting only SHA-2, while the older ones support only SHA-1. SHA-2 upgrades will roll out to the affected products over the course of several months, beginning March 12.

Why has Microsoft come to this decision?

SHA-1 was developed by the National Institute of Standards and Technology (NIST) and by the National Security Agency (NSA). This algorithm generates a 160-bit hash value and was developed for use with DSA (Digital Signature Algorithm) or DSS (Digital Signature Standard). SHA-1 remains a widely used part of code-signing, but its efficacy has declined over time as more and more attacks that break it have popped up. As a result, NIST has officially deprecated SHA-1 in 2011. Microsoft for instance has cited the existence of known collision attacks against SHA-1 as the main reason for advising against its use. Collisions occur when an attacker is able to generate a certificate with the same signature as the original certificate.

This is only the latest step for Microsoft in phasing out SHA-1. It has been actively deprecating the SHA-1 and older hash algorithms like RC4 since at least 2013. Other tech giants, including Facebook, Google and Mozilla, have already done the same. Starting from version 56, which was  released in January 2017, Chrome considers any website protected with a SHA-1 certificate as insecure, while Firefox has deprecated SHA-1 as of February 24th, 2017.

According to the team that actually broke SHA-1, any application that relies on SHA-1 for digital signatures, file integrity, or file identification is potentially vulnerable. These include Digital Certificate signatures, Email PGP/GPG signatures, Software vendor signatures, Software updates, ISO checksums, Backup systems, GIT, etc. TLS/SSL certificates are not at risk because any Certification Authority abiding by the CA/Browser Forum regulations is not allowed to issue SHA-1 certificates anymore.

It is high time to update

All technology providers urge their customers to update from SHA-1 to SHA-2. But this may not be so easy as it seems. Older, hardware-based solutions may require upgrading to support these newer technologies. The use of cryptographic security algorithms is meant to instill trust to your customers. If you value your customers and your organization’s reputation, it is high time to invest in your security. With visibility and intelligence from a robust platform for machine identity protection, Venafi can help you find and replace internal certificates, even in hard to locate areas of your network.

Contact Venafi to see how we can accelerate your migration to SHA-2 before the impending deadline.

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Mozilla, Certinomis, digital certificate, broken chain

Mozilla Distrusts Certinomis Issued Certificates

Certificate Poisoning Threatens GnuPG

Certificate Poisoning Threatens GnuPG

PKI, cyber attack, Public Key Infrastructure, encryption

Machine Identity Experts Needed: How to Become a PKI Admin

About the author

Guest Blogger: Anastasios Arampatzis
Guest Blogger: Anastasios Arampatzis
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat