Microsoft has announced that websites protected with a SHA-1 certificate will no longer load in its Microsoft Edge and Internet Explorer 11 web browsers. The update reflects the fact that many websites currently own SHA-1 certificates, which are susceptible to weaknesses in the SHA-1 hashing algorithm. It's up to organizations to upgrade to SHA-2 and make sure their certificates don't expire.
On 9 May 2017, Microsoft released a security advisory announcing it would begin blocking websites that protect themselves with a SHA-1 certificate. Those sites will now fail to load and will display an invalid certificate warning when users visit them from either the Microsoft Edge or Internet Explorer 11 web browsers. The tech giant's changes apply to those websites that chain to a root in the Microsoft Trusted Root Program where the issuing intermediate or end-entity's certificate employs SHA-1. Enterprise and self-signed SHA-1 certificates aren't affected.
As it explains in its security alert, Microsoft made its decision based upon the inherent threat that certificates signed with SHA-1 poses to users and businesses:
"The root cause of the problem is a known weakness of the SHA-1 hashing algorithm that exposes it to collision attacks. Such attacks could allow an attacker to generate additional certificates that have the same digital signature as an original. The use of SHA-1 certificates for specific purposes that require resistance against these attacks is discouraged."
Mozilla Firefox and Google Chrome took the lead in flagging SHA-1 back in February 2017 due to the risks posed by collision attacks. Acknowledging these movements in the industry, Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, feels Microsoft is right to move against SHA-1 certificates. But he also warns users and businesses are still at risk notwithstanding the Redmond-based tech giant's actions:
"It's well within reach of nation states and sophisticated adversaries to compromise SHA-1 certificates. In fact, more than a decade ago NIST called for the elimination of SHA-1 because of known vulnerabilities. Unfortunately, businesses are still struggling to remediate SHA-1, even before Microsoft’s announcement. Many lack the visibility to know where SHA-1 certificates are on their networks and they don’t have the automation to replace them quickly."
True to Bocek's point, the Venafi Labs research team analyzed data on over 33 million publicly visible IPv4 websites using Venafi TrustNet in March 2017. This research revealed that 21 percent of the world’s websites still use insecure SHA-1 certificates.
To address this ongoing insecurity, site owners should follow Microsoft's advice by updating their certificates from SHA-1 to SHA-2. Doing so will ensure their websites not only load properly in Microsoft's web browsers but also adequately protect users' information. They should then invest in a solution that helps them monitor their certificates, automates remediation, and prevents outages.