SSL Certificate

Microsoft Browsers Edge 10 and IE Block SHA-1 SSL Certificates

May 19, 2017 | By Comodo SSL

Browsers serve as the gateway to the internet for users. They also serve as a gateway for transmitting malware to the internet users. For this reason, these browsers secure themselves and their users using SSL Certificates or SSL Encryption. SSL Certified websites provide a secure path of communication for the data exchanged between the browser and the user. This secure path is impervious to hacking. Therefore these SSL Certificates have become a must for websites if they are to gain the trust of the browsers and internet users.

Microsoft Browsers Edge 10 and IE Block SHA-1 SSL Certificates

SSL is a complex technology involving encryption and hashing algorithms. When it comes to hashing algorithms, it has so far introduced two different types by name SHA-1 and SHA-2, where the SHA stands for Secure Hashing Algorithm. SHA-1 has been around for a very long time and therefore many SSL certified websites were happy using it. At least they were so until recently when Microsoft decided that its browsers too – just like Google and Firefox – would be blocking those websites which use SHA-1 for security reasons.

It’s only been a few days since Microsoft browsers Edge 10 and IE chose to block websites signed with SSL certificates that use SHA-1 hashing algorithm. So the websites that support this technology are now being blocked and a message is displayed instead saying the website’s security is a questionable one. Microsoft sees this initiative as an attempt to secure the users of its browsers, falling in line with the latest security trend of CAs (Certificate Authorities) and other browsers depreciating SSL SHA-1 hashing algorithm for a more secure SHA-2 hashing algorithm based SSL certificates.

Browser vendors have been trying to phase out SHA-1 Certificates as insecure since 2015. But Google was the first to completely depreciate SHA-1 SSL certificate signed websites labeling them as insecure with its January release of Chrome 56. Firefox and Apple followed suit. So, websites which haven’t been moved to SHA-2 based SSL Certificates will be affected.

The reason behind this shift in the security trend towards SHA-2 SSL certificates should be attributed to researchers at Google and CWI Amsterdam, as a research conducted by them this February was the one that revealed a technical flaw in SHA-1 resulting in an SHA-1 collision; which in layman’s terms means SHA-1 hashing algorithm was ineffective, as demonstrated by two PDFs containing different content that had the same SHA-1 hash; while in normal circumstances, each SHA-1 hash is expected to be unique. This experiment spelled doom for SHA-1 SSL certificates.

The SHA-1 hash algorithm that takes an arbitrary block of data and returns a fixed-size bit string which serves as the cryptographic representation of a file or a piece of data. This is supposed to be unique and non-reversible. But it has become evident that it is not so always, as demonstrated by Google’s researchers, and therefore is being replaced by SHA-2, which is an enhanced and more secure version of SHA-1.

Microsoft’s plan to archive SHA-1 certificates also extends to the self-signed SSL/TLS certificates as well. Only those websites using SHA-1 TSL Certificates have been exempted for the time being. But Microsoft expects them to soon migrate to SHA-2 based SSL certificates as well. In fact, it is being suggested that Microsoft’s long-term plan is to phase out SHA-1 hashing algorithm from all usages in Windows, including the hashing algorithm’s use for verifying the integrity of downloaded files.

ssl certificate

Posted in SSL Certificate,Technology

Be Sociable, Share!

Leave a Comment


 


* fields are mandatory