HomeWinBuzzer NewsMicrosoft Edge and Internet Explorer 11 Will Block Websites with SHA-1 Certificates

Microsoft Edge and Internet Explorer 11 Will Block Websites with SHA-1 Certificates

Starting on February 14th, 2017, the two browsers will display an invalid certificate warning. Users will have the option to ignore the error and continue to the website.


The block will only impact SHA-1 certificates that chain to a Trusted Root Certificate Authority. Microsoft states that the change will not impact manually-installed enterprise or self-signed SHA-1 certificates. The company recommends migration to SHA-256.

Invalid certificate warning when browsing to a site protected with a SHA-1 certificate Image credit: Microsoft
Invalid certificate warning when browsing to a site protected with a SHA-1 certificate
Image credit: Microsoft

SHA-1 stands for Secure Hash Algorithm 1, which is an cryptographic hash function widely used in security applications and protocols, including TLS and SSL, PGP, SSH, S/MIME, and IPsec. Since cryptanalysts found attacks on SHA-1 in 2005, it is considered unsecure. Its successors SHA-2 and SHA-3 offer much higher security.

For those looking to find out if this will have an impact on their site, there is a way to test it. You need to install installing the latest November 2016 Windows Updates, including the November 2016 Preview of Monthly Quality Rollups for /Windows 8.1.

However, Windows 7 and Windows 8.1 updates are currently offered as Optional Updates on Windows Update. They will be promoted to Recommended Updates on December 13th, 2017.

The test is possible by running a few commands from an Administrator Command Prompt. The details regarding the commands procedure are available in Microsoft's blog post about the topic.

The company also states that third party Windows applications that use the Windows cryptographic API set, as well as older versions of Internet Explorer, will not be impacted automatically by the February 2017 changes.

As for the cross-signed certificates, Windows will only check if the thumbprint of the root certificate is in the Microsoft Trusted Root Certificate Program. The upcoming changes will not affect a certificate cross-signed with a Microsoft Trusted Root that chains to an enterprise/self-signed root.

SHA-1: Prone to attacks

The SHA-1 hash algorithm is no longer secure due to its many weaknesses. An attacker could spoof content, execute , or perform man-in-the-middle attacks when browsing the web.

Microsoft is working together with other members of the industry to phase out and raise awareness about the SHA-1 protocol. The company announced the plans to depreciate the SHA-1 in 2015.

These changes will take place in three phases, with the first two centering around the browsers.

The first phase is indicating to users that SHA-1 is less secure than SHA-2. Customers using or Internet Explorer 11 will notice that the browsers no longer display a lock icon.

The second phase will begin on February 14, 2017. Microsoft will release an update to Microsoft Edge and Internet Explorer 11 that will display an Invalid Certificate warning page.

The last phase is developing a common, OS-level experience that all applications can use to warn users about weak cryptography like SHA-1. This will take place after the February changes.

Sead Fadilpasic
Sead Fadilpasichttp://journalancer.com/
Sead is a former Al Jazeera journalist who shares his passion for technology on various tech media outlets. Formerly a heavy gamer (semi-professional Warcraft 3 gosu), he now enjoys reviewing software and churning out words about the latest tech-news. He holds a college degree in Journalism and likes to annoy his neighbors by playing one of his three electric and two acoustic guitars.

Recent News