Threat Management, Incident Response, Network Security, TDR

Microsoft will cease support for TLS certs signed by SHA1

Microsoft announced it will soon cease support for TLS certificates signed by the SHA1 hashing algorithm, according to ArsTechnica.

After hinting in November that it might, the tech giant made it official last week. The end was expected following new research that revealed the popular cryptographic algorithm was susceptible to collision attacks – in which miscreants attempt to find two inputs producing the same hash value. Should they succeed, they would be able to forge digital signatures. 

As well-financed cybercriminals increase their sophistication and the costs of developing attacks decreases, experts have long been warning of vulnerabilities in SHA1, used by nearly a third of existing digital certificates. For example, the Carberp banking trojan employed malware signed by dual certificates, SHA1 and SHA2. 

Most browsers announced plans to cease accepting SHA1-based signatures beginning in January 2017. 

SHA1-based certificates will be blocked starting in February, Microsoft announced.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.