Next Windows 10 Update Will Bring the End of Recognizing SHA-1 As Secure
Microsoft has announced that with the Anniversary update with Windows 10, the company will no longer recognize that SHA-1 is secure in Edge and Internet Explorer. In February of 2017, the company will also block SHA-1 signed TLS certificates in an effort to protect end users from websites that appear to be secure but can be easily compromised.
SHA stands for Secure Hash Algorithm, and the hash function is no longer secure and can be easily cracked. Because Edge and IE still show these sites as secure, it can provide a false sense of security when browsing web pages using this type of algorithm to secure data, as it can be compromised for as little as $2.10.
After the Anniversary update is released, if you navigate to a page using SHA-1, you will still be able to browse the site, but the URL bar will not show the lock icon indicating that it is not secure. In addition to Windows 10, for Internet Explorer 11 on Windows 7 and 8.1, these browsers will show the website as insecure as well.
It is worth noting, for those using Internet Explorer 11, this will only impact certificates that chain to a CA in the Microsoft Trusted Root Certificate program.
If you are an admin and your website is currently using SHA-1, it is important that you update your security certificates as soon as possible to make sure that your site is protected, so that it will not throw an insecure flag after Microsoft releases the update.
You can read more about SHA-1 deprecation on Microsoft’s official blog post detailing the announcement.