Microsoft to begin SHA-1 crypto shutoff with Windows 10’s summer upgrade – Computerworld

Microsoft last week outlined the timetable it will use to drop browser support for sites that secure traffic with SHA-1 certificates, part of an Internet-wide plan to rid the Internet of the weaker encryption.

With the delivery of the Windows 10 Anniversary Update — slated to ship sometime this summer — both Internet Explorer (IE) and Edge will stop displaying a lock icon for sites that reply on a SHA-1 certificate. That icon signals that the bits back and forth between browser and website are encrypted, and so not vulnerable to spying.

But Microsoft and other browser makers — including Google and Mozilla — have declared that SHA-1 certificates are unsafe because their encryption was insufficiently strong. Originally, the browser builders had agreed to stop trusting SHA-1-signed certificates on Jan. 1, 2017, but new research last year prompted them to consider a July 1, 2016 deadline.

Security researchers have demonstrated that cybercriminals can craft fake SHA-1-based certificates, which they could then use to dupe users into believing that a counterfeit website was the real deal.

Comments

Write a Reply or Comment:

Your email address will not be published.*