In November 2015, Microsoft announced a roadmap for depreciating the SHA-1 hashing algorithm – specifically, the plan to stop accepting SHA-1 TLS certificates by 2017; Microsoft gave website administrators and their users a two-year head start to be prepared for this.
The SHA-1 hashing algorithm was published in 1995 – it has been used extensively since, as it was considered secure at the time. The key word is ‘was’: it no longer is seen as secure, and has been replaced by SHA-2 and SHA-3.
Today, Microsoft has detailed what exactly will happen to websites and 3rd party applications that haven’t updated their certificates.
The SHA1 certificates are already not considered safe by Edge and Internet Explorer 11 – since the Windows 10 Anniversary Update, both browsers stopped displaying the ‘Secure’ padlock icon for websites using an SHA-1 certificate.
Now, starting from February, the 14th of 2017, Microsoft Edge and Internet Explorer 11 will stop loading websites ‘secured’ by an SHA-1 certificate – instead, an invalid certificate warning will be displayed to the user.
Users will have the option to ignore the warning, but it is not recommended.
Microsoft has made it clear that this change will only affect websites linked with Microsoft Trusted Root CA – manually installed enterprise or self-signed SHA-1 certificates will not be affected, though a business should probably upgrade to something more secure anyway.
3rd-party applications utilizing the Windows Cryptographic API, and older versions of Internet Explorer will also not be affected – the change is only affecting Internet Explorer 11.
Microsoft also has detailed a procedure for developers who want to test if their websites will be affected by the change – you will need the latest November Windows updates to do this.
You can read about this change on Microsoft’s blog, and have a look at the full timeline announced by Microsoft in November last year over here.