14 DAY TRIAL // Microsoft clarified its plan for SHA-1 deprecation in Windows products last week, and the company says that the first major changes will come with the official release of the company's Windows 10 Anniversary Update this summer.
The company's security team says that starting with the Windows 10 Anniversary Update, both Microsoft Edge and Internet Explorer browsers will consider all digital certificates signed with an SHA-1 certificate as insecure.
The result of this change is that the lock icon seen on HTTPS connections will be removed if SHA-1 is used on the site. Users will be allowed to access the site, but they won't see it as a secure connection anymore.
Microsoft to completely block SHA-1 certificates with February 2017
Starting with February 2017, the change will become permanent, and all TLS certificates signed with an SHA-1 algorithm will be blocked by default in all the company's browsers. After this stage, users won't be allowed to access the sites anymore.
This last update applies to Microsoft Edge on Windows 10 and Internet Explorer 11 on Windows 7, Windows 8.1 and Windows 10. Microsoft said the change will affect any certificates issued by CA part of the company's Trusted Root Certificate program.
Microsoft has also provided some instructions for developers on how to test its upcoming changes via the Administrator Command Prompt.
SHA-1 considered insecure since October 2015
Security researchers broke the SHA-1 algorithm last fall when they proved that SHA-1 was easier to break and with far fewer resources than previously thought.
Researchers managed to break an SHA-1 encoded data using a cluster of 64 GPU cards in only ten days. The server cost of the entire operation was between $75,000 and $120,000 (€67,000 and €107,000). Previously researchers estimated that someone would crack SHA-1 after 2018, with costs of $173,000 / €153,000.
Mozilla was the first major browser vendor to announce an accelerated timeline to deprecate SHA-1-signed certificates. Microsoft and Google followed suite, but they only said they'll consider an accelerated timetable. Microsoft has now come forward with its official deprecation timeline.