Windows 10: SHA-1 deprecation countdown

Brink · Nov 17, 2016

The SHA-1 hash algorithm is no longer secure. Weaknesses in SHA-1 could allow an attacker to spoof content, execute phishing attacks, or perform man-in-the-middle attacks when browsing the web. Microsoft, in collaboration with other members of the industry, is working to phase out SHA-1. We have outlined our timeline for SHA-1 deprecation in earlier posts, most recently in April. This post is to clarify some of our most commonly asked questions, and to help you test ahead of time.

Starting on February 14th, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Though we strongly discourage it, users will have the option to ignore the error and continue to the website.

This will only impact SHA-1 certificates that chain to a Microsoft Trusted Root CA. Manually-installed enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend for all customers to quickly migrate to SHA-256.

Additional information on Microsoft’s overall SHA-1 deprecation plans can be found on TechNet.

Microsoft Edge will display an invalid certificate warning when browsing to a site protected with a SHA-1 certificate

Frequently asked questions

How can I test if my site will be impacted?

By installing the latest November 2016 Windows Updates, including the November 2016 Preview of Monthly Quality Rollups for Windows 7/Windows 8.1, you can test how your site will be impacted by the February 2017 update. Please note that the Windows 7 and Windows 8.1 updates are currently offered as Optional Updates on Windows Update, and are expected to be promoted to Recommended Updates on December 13th, 2017. You can test by running the following commands from an Administrator Command Prompt:

First, create a logging directory and grant universal access:
1
2
3
4
5
6 set LogDir=C:\Log
mkdir %LogDir%
icacls %LogDir% /grant *S-1-15-2-1OI)(CI)(F)
icacls %LogDir% /grant *S-1-1-0OI)(CI)(F)
icacls %LogDir% /grant *S-1-5-12OI)(CI)(F)
icacls %LogDir% /setintegritylevel L

Next, enable certificate logging and SHA-1 blocking:
1
2 Certutil -setreg chain\WeakSignatureLogDir %LogDir%
Certutil -setreg chain\WeakSha1ThirdPartyFlags 0x80040004

Important: Use the following commands to remove the settings after you have completed your testing.
1
2 Certutil -delreg chain\WeakSha1ThirdPartyFlags
Certutil -delreg chain\WeakSignatureLogDir

How will other Windows applications and older versions of Internet Explorer be impacted?

Third party Windows applications that use the Windows cryptographic API set and older versions of Internet Explorer will not be impacted by the February 2017 changes by-default.

How will SHA-1 client authentication certificates be impacted?

The February 2017 update will not prevent a client using a SHA-1 signed certificate from being used in client authentication.

What about cross-signed certificates?

Windows will only check if the thumbprint of the root certificate is in the Microsoft Trusted Root Certificate Program. A certificate cross-signed with a Microsoft Trusted Root that chains to an enterprise/self-signed root would not be impacted by the changes planned for February 2017.

― Alec Oot, Senior Program Manager
― Jody Cloutier, Senior Program Manager
Click to expand...

Source: SHA-1 deprecation countdown | Microsoft Edge Dev Blog

:)

Zdzich · Nov 17, 2016

Can't view SSL certificates on websites visited using EDGE in Windows 10

Although Microsoft does something in the scope of certificates in Edge browser:
SHA-1 deprecation countdown - Microsoft Edge Dev Blog
but still does not take into consideration enabling to view full details of HTTPS website certificate (like IE and all other web browsers do)!

Rob Koch · Nov 17, 2016

Downloading file.exe

Since this only recently started with your other Windows 10 system, I suspect that Microsoft only just finally enabled the detection of these SHA-1 signed files, quite possibly in the recent Windows 10 Anniversary update or at least the IE11 updates that
were included within it.

So if you had installed the update on one system and not the Surface Pro 4, this might explain the difference, since my own system I was using to test here is actually running Windows 8.1 and apparently has also received an update which generates that same
corrupt or invalid message you received.

Looking around, I just found another Web Developer blog article that discusses the SHA-1 deprecation roadmap. Though this doesn't specifically mention how files containing digital signatures will be handled, I suspect that the effects on SSL certificates
using SHA-1 and those for file downloads when using IE11 would be quite similar.

An update to our SHA-1 deprecation roadmap

From the comments in this and another earlier blog article I can see that even the more technically knowledgeable web developers in these discussions have questions and see potential problems with this deprecation. One of these is that older Windows XP
and Server 2003 systems don't support the new SHA-2 or other algorithms, so these will permanently break when software or web pages containing these are accessed.

So this migration from SHA-1 to SHA-2 may be far more disruptive then Microsoft expected for those with outdated software, servers and client systems.

Rob

Windows 10: SHA-1 deprecation countdown

SHA-1 deprecation countdown

SHA-1 deprecation countdown

SHA-1 deprecation countdown - Similar Threads - SHA deprecation countdown

Stop Using SHA-1

Stop Using SHA-1

Issues with WIn 7, Connecting using RDP shows SHA-1 trying to Update to SHA-2

Certificate Services signs certificates with SHA-1 even though SHA-256 is selected

Certificate Services signs certificates with SHA-1 even though SHA-256 is selected

Deprecated

SHA-1 Deprecation Update

Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge & IE11

An update to our SHA-1 deprecation roadmap