Microsoft follows Mozilla, announces SHA-1's doom

Nov 5, 2015 17:09 GMT  ·  By

Microsoft's Edge Team is considering pulling the plug on SHA-1 digital certificates earlier than previously planned. The Redmond-based company is taking Mozilla's lead, which two weeks ago announced the same thing.

Just like Mozilla, Microsoft is basing its decision on the recent cracking of the SHA-1 algorithm by a team of scientists from universities in France, Holland, and Singapore.

The researchers managed to break into the inner layer of SHA-1 encryption using a cluster of 64 GPU cards in only ten days.

The entire cost of this operation was between $75,000 and $120,000 (€67,000 and €107,000). This was substantially lower than what other scientists thought was needed to achieve. The research was made public to warn organizations of the impending danger.

Browser makers were the first to react

The first to react was Mozilla, which, in a statement on its blog, said it was re-evaluating the option of moving the cut-off date from January 1, 2017, to as early as July 1, 2016.

Mozilla's lead was followed by Microsoft yesterday, when Kyle Pflug, Program Manager, Microsoft Edge, said, "In light of recent advances in attacks on the SHA-1 algorithm, we are now considering an accelerated timeline to deprecate SHA-1 signed TLS certificates as early as June 2016."

Previous plans had Microsoft blocking any SHA-1 signed certificates starting January 1, 2017.

Right now, the other major player in the browser market, Google, has not yet moved the cut-off date for SHA-1 from the initial planned date of January 1, 2017.

A study by Netcraft shows that, currently, over 1 million websites are still deploying SHA-1 signed certificates with their infrastructure. A subsequent investigation by the same Netcraft staff has revealed that many of the US' government and military websites are still using obsolete SHA-1 certificates, putting their users and data at risk.