• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

SHA-1 deprecation countdown


Brink

Administrator
Administrator
mvp
Posts
22,828
#1
The SHA-1 hash algorithm is no longer secure. Weaknesses in SHA-1 could allow an attacker to spoof content, execute phishing attacks, or perform man-in-the-middle attacks when browsing the web. Microsoft, in collaboration with other members of the industry, is working to phase out SHA-1. We have outlined our timeline for SHA-1 deprecation in earlier posts, most recently in April. This post is to clarify some of our most commonly asked questions, and to help you test ahead of time.

Starting on February 14[SUP]th[/SUP], 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Though we strongly discourage it, users will have the option to ignore the error and continue to the website.

This will only impact SHA-1 certificates that chain to a Microsoft Trusted Root CA. Manually-installed enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend for all customers to quickly migrate to SHA-256.

Additional information on Microsoft’s overall SHA-1 deprecation plans can be found on TechNet.



Microsoft Edge will display an invalid certificate warning when browsing to a site protected with a SHA-1 certificate

Frequently asked questions

How can I test if my site will be impacted?

By installing the latest November 2016 Windows Updates, including the November 2016 Preview of Monthly Quality Rollups for Windows 7/Windows 8.1, you can test how your site will be impacted by the February 2017 update. Please note that the Windows 7 and Windows 8.1 updates are currently offered as Optional Updates on Windows Update, and are expected to be promoted to Recommended Updates on December 13[SUP]th[/SUP], 2017. You can test by running the following commands from an Administrator Command Prompt:

First, create a logging directory and grant universal access:


[TD="class: gutter"]1
2
3
4
5
6
[/TD]
[TD="class: code"]set LogDir=C:\Log
[noparse]mkdir %LogDir%
icacls %LogDir% /grant *S-1-15-2-1:(OI)(CI)(F)
icacls %LogDir% /grant *S-1-1-0:(OI)(CI)(F)
icacls %LogDir% /grant *S-1-5-12:(OI)(CI)(F)
icacls %LogDir% /setintegritylevel L[/noparse]

[/TD]




Next, enable certificate logging and SHA-1 blocking:


[TD="class: gutter"]1
2
[/TD]
[TD="class: code"]Certutil -setreg chain\WeakSignatureLogDir %LogDir%
Certutil -setreg chain\WeakSha1ThirdPartyFlags 0x80040004

[/TD]




Important: Use the following commands to remove the settings after you have completed your testing.


[TD="class: gutter"]1
2
[/TD]
[TD="class: code"]Certutil -delreg chain\WeakSha1ThirdPartyFlags
Certutil -delreg chain\WeakSignatureLogDir

[/TD]




How will other Windows applications and older versions of Internet Explorer be impacted?

Third party Windows applications that use the Windows cryptographic API set and older versions of Internet Explorer will not be impacted by the February 2017 changes by-default.

How will SHA-1 client authentication certificates be impacted?

The February 2017 update will not prevent a client using a SHA-1 signed certificate from being used in client authentication.

What about cross-signed certificates?

Windows will only check if the thumbprint of the root certificate is in the Microsoft Trusted Root Certificate Program. A certificate cross-signed with a Microsoft Trusted Root that chains to an enterprise/self-signed root would not be impacted by the changes planned for February 2017.

― Alec Oot, Senior Program Manager
― Jody Cloutier, Senior Program Manager

Source: SHA-1 deprecation countdown | Microsoft Edge Dev Blog
 

My Computer

System One

  • OS
    64-bit Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model Number
    Custom self built
    CPU
    Intel i7-3930K 3.2 Ghz (O/C to 4 Ghz)
    Motherboard
    ASRock X79 Extreme11
    Memory
    32 GB (8GBx4) G.SKILL DDR3 Quad PC3-19200 2400 MHz
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    SB Recon 3Di Integrated Chip
    Monitor(s) Displays
    3 x 27" Asus VE278Q
    Screen Resolution
    1920x1080
    Hard Drives
    256GB OCZ Vector
    6TB WD Black WD6001FZWX
    PSU
    OCZ Series Gold OCZZ1000M 1000W
    Case
    Corsair Air 740
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master
    Internet Speed
    100 Mb/s Download and 10 Mb/s Upload
    Browser
    Internet Explorer 11
    Antivirus
    Malwarebyte Anti-Malware Premium
    Other Info
    Lite-On iHBS212 12x BD Writer
    Creative F200 webcam
    Samsung CLX-3175FW Printer
    Linksys EA9500 Router
    Arris SB6190 Cable Modem
    APC SMART-UPS RT 1000 XL