In a blog post, Microsoft stated that the algorithm was no longer secure and allowed attackers to carry out spoofs, phishing attacks, or man-in-the-middle attacks. From February 14, Microsoft Edge and Internet Explorer 11 will no longer automatically load up a site that uses SHA-1; instead they will display a warning message to the user about this invalid certificate before they go any further.
“Microsoft, in collaboration with other members of the industry, is working to phase out SHA-1,” Microsoft said. Website owners have been urged to update their certificates ASAP.
The news comes just a couple of days after Google made a similar announcement, explaining that Chrome 56 will not support the outdated hashing algorithm. Chrome 56 is tipped for release in late January but Google had previously outlined these plans almost a year ago.
Similarly, Mozilla’s Firefox will start winding down support for SHA-1 early next year as well, so expect all the major browsers to have left SHA-1 behind by spring 2017.
“Digital signatures incorporating the SHA-1 algorithm may soon be forgeable by sufficiently motivated and resourceful entities,” said Mozilla’s J.C. Jones last month when explaining the reason for making the move.
Hashing algorithms generally become outdated after some time when mathematical and computer processing grows in strength.
Once upon a time, the algorithm MD5 was the go-to hashing algorithm until it was replaced by SHA-1 as the standard. But as Google noted in its announcement last week, SHA-1 “first showed signs of weakness over eleven years ago,” so the industry shift away from the algorithm has been a long time coming.
“Enterprises are encouraged to make every effort to stop using SHA-1 certificates as soon as possible and to consult with their security team before enabling the policy,” said Andrew Whalley of Google Chrome’s security team.
A couple of recent hacks and data breaches have showed how some companies are still securing data with SHA-1 and in some cases even MD5, like the Last.fm breach.
