Skip to main content
banner image
venafi logo

Your Customers Will Know If Your Sites Still Use SHA-1. Microsoft Edge and IE 11 Now Block Access.

Your Customers Will Know If Your Sites Still Use SHA-1. Microsoft Edge and IE 11 Now Block Access.

May 10, 2017 | David Bisson

Microsoft has announced that websites protected with a SHA-1 certificate will no longer load in its Microsoft Edge and Internet Explorer 11 web browsers. The update reflects the fact that many websites currently own SHA-1 certificates, which are susceptible to weaknesses in the SHA-1 hashing algorithm. It's up to organizations to upgrade to SHA-2 and make sure their certificates don't expire.

On 9 May 2017, Microsoft released a security advisory announcing it would begin blocking websites that protect themselves with a SHA-1 certificate. Those sites will now fail to load and will display an invalid certificate warning when users visit them from either the Microsoft Edge or Internet Explorer 11 web browsers. The tech giant's changes apply to those websites that chain to a root in the Microsoft Trusted Root Program where the issuing intermediate or end-entity's certificate employs SHA-1. Enterprise and self-signed SHA-1 certificates aren't affected.

As it explains in its security alert, Microsoft made its decision based upon the inherent threat that certificates signed with SHA-1 poses to users and businesses:

"The root cause of the problem is a known weakness of the SHA-1 hashing algorithm that exposes it to collision attacks. Such attacks could allow an attacker to generate additional certificates that have the same digital signature as an original. The use of SHA-1 certificates for specific purposes that require resistance against these attacks is discouraged."

Mozilla Firefox and Google Chrome took the lead in flagging SHA-1 back in February 2017 due to the risks posed by collision attacks. Acknowledging these movements in the industry, Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, feels Microsoft is right to move against SHA-1 certificates. But he also warns users and businesses are still at risk notwithstanding the Redmond-based tech giant's actions:

"It's well within reach of nation states and sophisticated adversaries to compromise SHA-1 certificates. In fact, more than a decade ago NIST called for the elimination of SHA-1 because of known vulnerabilities. Unfortunately, businesses are still struggling to remediate SHA-1, even before Microsoft’s announcement. Many lack the visibility to know where SHA-1 certificates are on their networks and they don’t have the automation to replace them quickly."

True to Bocek's point, the Venafi Labs research team analyzed data on over 33 million publicly visible IPv4 websites using Venafi TrustNet in March 2017. This research revealed that 21 percent of the world’s websites still use insecure SHA-1 certificates.

To address this ongoing insecurity, site owners should follow Microsoft's advice by updating their certificates from SHA-1 to SHA-2. Doing so will ensure their websites not only load properly in Microsoft's web browsers but also adequately protect users' information. They should then invest in a solution that helps them monitor their certificates, automates remediation, and prevents outages. 

Do you have visibility into your certificates?

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more