Secure Hash Algorithm 1 (SHA-1) is a 25-year-old method of generating hashes using a cryptographic function. Google successfully managed to demonstrate the weaknesses of the algorithm in 2017 and major browsers also began to block websites using SHA-1 certificates. Similarly, Apple dropped support for it in 2019.
Microsoft has announced that all its major services and processes will be exclusively using SHA-2 from next month.
As the name suggests, SHA-2 is an enhanced version of SHA-1, and is more secure and performant. As such, Microsoft will allow the SHA-1 Trusted Root Certificate Authority (CA) to expire, and all major processes such as TLS certificates, file hashing, and code signing will exclusively use SHA-2 from May 9, 2021 at 4PM PT.
This move is not particularly surprising considering that in 2019, Microsoft enforced Windows updates signing via SHA-2 and deprecated SHA-1 signed content from the Download Center in late 2020 too.
Microsoft says that the expiration will only impact SHA-1 certificates that are linked to the associated Root CA. However, certificates that are manually signed using SHA-1 by enterprises themselves will not be impacted. That said, it is obviously recommended that organizations migrate to SHA-2 as well.
Overall, the Redmond tech giant considers the move to be quite "uneventful" as it says that it has done full-fledged testing of major applications and potential issues. Regardless, if organizations face problems, they are recommended to peruse Microsoft's dedicated support article or reach out to the firm's technical teams.
7 Comments - Add comment