Next Windows 10 Update Will Bring the End of Recognizing SHA-1 As Secure
Microsoft has announced that with the Anniversary update with Windows 10, the company will no longer recognize that SHA-1 is secure in Edge and Internet Explorer. In February of 2017, the company will also block SHA-1 signed TLS certificates in an effort to protect end users from websites that appear to be secure but can be easily compromised.
SHA stands for Secure Hash Algorithm, and the hash function is no longer secure and can be easily cracked. Because Edge and IE still show these sites as secure, it can provide a false sense of security when browsing web pages using this type of algorithm to secure data, as it can be compromised for as little as $2.10.
After the Anniversary update is released, if you navigate to a page using SHA-1, you will still be able to browse the site, but the URL bar will not show the lock icon indicating that it is not secure. In addition to Windows 10, for Internet Explorer 11 on Windows 7 and 8.1, these browsers will show the website as insecure as well.
What is “Inside Microsoft Teams”?
“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.
It is worth noting, for those using Internet Explorer 11, this will only impact certificates that chain to a CA in the Microsoft Trusted Root Certificate program.
If you are an admin and your website is currently using SHA-1, it is important that you update your security certificates as soon as possible to make sure that your site is protected, so that it will not throw an insecure flag after Microsoft releases the update.
You can read more about SHA-1 deprecation on Microsoft’s official blog post detailing the announcement.