Microsoft has announced it will no longer support the insecure SHA-1 hash algorithm for HTTPS from 14 February next year, adding further urgency for webmasters to transition to SHA-2.
Weaknesses in SHA-1 have been known about for over a decade, allowing attackers to launch Man in the Middle attacks, phishing campaigns and spoof content.
That’s why all the major browser manufacturers are no longer supporting it from early next year.
Google confirmed last Wednesday that it would remove support in Chrome 56, to be released at the end of January, while Mozilla has said it will do the same after Firefox 51 is released in January.
“Starting on February 14th, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Though we strongly discourage it, users will have the option to ignore the error and continue to the website,” said Microsoft on Friday.
“This will only impact SHA-1 certificates that chain to a Microsoft Trusted Root CA. Manually-installed enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend for all customers to quickly migrate to SHA-256.”
Once this happens, websites still using SHA-1 certificates will be in trouble because visitors will be presented with a browser warning claiming the site isn’t to be trusted – which could deter many.
Some may also experience performance issues, and there will be no green padlock displayed in the address line for HTTPS transactions.
Research from security firm Venafi announced last week claimed that over a third (35%) of websites around the world are still using SHA-1.
The problem may be partly down to the lack of visibility many organizations have into their digital certificates and encryption keys.
Venafi claims many don’t know how many they have or where they’re being used, which makes SHA-2 migration all the more problematic.