Microsoft will cease support for TLS certs signed by SHA1

Microsoft browsers will no longer display a lock when on HTTPS sites protected by SHA1 certs.
Microsoft browsers will no longer display a lock when on HTTPS sites protected by SHA1 certs.

Microsoft announced it will soon cease support for TLS certificates signed by the SHA1 hashing algorithm, according to ArsTechnica.

After hinting in November that it might, the tech giant made it official last week. The end was expected following new research that revealed the popular cryptographic algorithm was susceptible to collision attacks – in which miscreants attempt to find two inputs producing the same hash value. Should they succeed, they would be able to forge digital signatures. 

As well-financed cybercriminals increase their sophistication and the costs of developing attacks decreases, experts have long been warning of vulnerabilities in SHA1, used by nearly a third of existing digital certificates. For example, the Carberp banking trojan employed malware signed by dual certificates, SHA1 and SHA2. 

Most browsers announced plans to cease accepting SHA1-based signatures beginning in January 2017. 

SHA1-based certificates will be blocked starting in February, Microsoft announced.
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS