Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Finally Bans SHA-1 Certificates In Its Browsers (zdnet.com)

Posted by EditorDavid on from the living-on-the-Edge dept.

An anonymous reader quotes ZDNet: With this week's monthly Patch Tuesday, Microsoft has also rolled out a new policy for Edge and Internet Explorer that prevents sites that use a SHA-1-signed HTTPS certificate from loading. The move brings Microsoft's browsers in line with Chrome, which dropped support for the SHA-1 cryptographic hash function in January's stable release of Chrome 56, and Firefox's February cut-off... Apple dropped support for SHA-1 in March with macOS Sierra 10.12.4 and iOS 10.3... Once Tuesday's updates are installed, Microsoft's browsers will no longer load sites with SHA-1 signed certificates and will display an error warning highlighting a security problem with the site's certificate.

13 of 38 comments (clear)

  1. Re:well you know what they say by ShanghaiBill · · Score: 4, Insightful

    Better 5 months late and unannounced with no industry coordination or planning than never.

    Anyone with a brain knew this was going to happen and already made the transition years ago. The procrastinating and/or ignorant people caught with their pants down would not have responded to any effort at coordination, and are not capable of planning.

  2. Re:well you know what they say by Billly+Gates · · Score: 1

    Good luck with that. Some places would label you as a troublemaker for insulting their phb who paid millions for these web apps. I left my former employer over such things as they refused to update anything and didn't want to be fired when shit hit the fan

    --
    http://saveie6.com/
  3. Re:well you know what they say by Anonymous Coward · · Score: 1

    https://technet.microsoft.com/...

    "This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1. Enterprise or self-signed SHA-1 certificates will not be impacted,"

  4. Re:well you know what they say by E-Rock · · Score: 1

    I'm not sure why that's a problem. Self signed certs already give you a warning page, so no difference there. For Enterprise certs they've been warning us for quite a while to change out our CA root certs to stop using SHA-1 and start phasing out the old certs. However, if a business hasn't done that, they're not breaking things.

  5. Who modded this drivel up? by Anonymous Coward · · Score: 2, Informative

    It was announced over three years ago (and they gave a year's extension):

    https://technet.microsoft.com/en-us/library/security/2880823.aspx

    Microsoft may be shite at a lot of things, but one thing they aren't is giving their enterprise customers long-term notice about changes like this.

  6. backwards compatability by JustNiz · · Score: 1

    I wonder if they still support ROT13 certificates.

    1. Re:backwards compatability by Lennie · · Score: 1

      There is no such thing.

      Please learn the basics of cryptography. There are 2 big categories:

      A: encryption schemes

      B: cryptographic one-way hash

      ROT13 goes in bucket A, SHA-1 goes in bucket B.

      While we are on the subject, encryption schemes come in 2 flavours:

      1: symmetric key encryption (same key)

      2: Public key cryptography, or asymmetric cryptography

      Go read a few Wikipedia pages, it's really not as hard as you would expect.

      --
      New things are always on the horizon
    2. Re:backwards compatability by JustNiz · · Score: 2

      Your sense of humor detector is broken.

  7. Why ban it? by Zorpheus · · Score: 4, Insightful

    It is no secure encryption, so it is just as insecure as an unencrypted site. But since it is banned we can't even view these sites anymore. That makes no sense. There should just be a warning, similar to what you get for an untrusted certificate.

    1. Re:Why ban it? by Eravnrekaree · · Score: 1

      The problem with this thinking is sites which handle payment data and other sensitive data who are refusing to upgrade. By keeping it for low risk sites, we also keep it for high risk sites to abuse as well. We have to cut it off for all sites to stop the high risk ones from using it.

        TLS creates the appearance of security but high risk sites can use broken old technology with TLS and give the appearance of security when the security is terribly broken, giving the user (and even ignorant and lazy site operators) the false assurance of security. It actually is even more true of site operators who think they have good security because they have TLS when they do not. There are still companies out there that think this way and have this cavalier atttitude about security.

      Maybe the browsers should offer a period where there is a warning message and the user has to manually override the message to load the site as which is now done with invalid certs. This would create enough inconvenience for users that it will prod site operators to fix things.

      Also you mention unencrypted connections: The day might be coming when browsers dump all unencrypted HTTP support, which would be a good thing. Things are headed that way, to give people no excuse to not do it by google making getting TLS certs free and easy. But the point is if TLS is being used with broken alogorthms it creates the false appearance of security

  8. huh? by Ol+Olsoc · · Score: 1

    Does Edge work as a browser yet?

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  9. IT department still uses SHA-1 by MobyDisk · · Score: 2

    I work for a large company that has a proxy server that does MITM attacks. The certs issued by the server are SHA-1, so we haven't been able to use Chrome and Firefox for months. The funny thing is that they even recommend using Chrome for certain sites. Many of us have opened tickets on this and they just don't seem to understand that this isn't a bug in Chrome. *facepalm* I hope this finally forces them to fix it. Although I don't have high hopes. Odds are more that they will try to block the update, and if anyone winds-up with it they will be considered out-of-compliance and IT will reformat their machines.

  10. Re: EXACTLY! by Anonymous Coward · · Score: 1

    Yes, that's my point. I don't want to tell my users to run IE6 just so they can access a legacy application for absolutely no (technical) reason other than an arbitrary "security" decision by the browser developers to take away my ability to accept the risk in cases where I feel it's appropriate. It would actually be MUCH more secure for everyone involved if I could provide instructions for users to bypass the error and view the page anyway _only for specific, known, exceptions_ or better yet to be able to push a policy to systems that allows only these specific pre-appproved sites, so that I can manage the security of my own company's users rather than having Google, et, al, heavy-handedly shove a one size fits all "fix" to my users if they want to use a modern and more secure browser at all. This stuff used to work OK with adding to trusted zone, adding certs to trusted ca store, launching the browser with a special command line option, or updating advanced settings, etc. Now instead there are multiple situations where there is absolutely no way to force the browser to display the page at all (one of these is if the certificate is revoked, even accidentally, and even with hold status). That's just stupid! This goes beyond merely "erring on the side of safety" and into "you must do as we say no matter what because we know better than you and there's not a damn thing you can do about it" territory.