The block will only impact SHA-1 certificates that chain to a Microsoft Trusted Root Certificate Authority. Microsoft states that the change will not impact manually-installed enterprise or self-signed SHA-1 certificates. The company recommends migration to SHA-256.
SHA-1 stands for Secure Hash Algorithm 1, which is an cryptographic hash function widely used in security applications and protocols, including TLS and SSL, PGP, SSH, S/MIME, and IPsec. Since cryptanalysts found attacks on SHA-1 in 2005, it is considered unsecure. Its successors SHA-2 and SHA-3 offer much higher security.
For those looking to find out if this will have an impact on their site, there is a way to test it. You need to install installing the latest November 2016 Windows Updates, including the November 2016 Preview of Monthly Quality Rollups for Windows 7/Windows 8.1.
However, Windows 7 and Windows 8.1 updates are currently offered as Optional Updates on Windows Update. They will be promoted to Recommended Updates on December 13th, 2017.
The test is possible by running a few commands from an Administrator Command Prompt. The details regarding the commands procedure are available in Microsoft’s blog post about the topic.
The company also states that third party Windows applications that use the Windows cryptographic API set, as well as older versions of Internet Explorer, will not be impacted automatically by the February 2017 changes.
As for the cross-signed certificates, Windows will only check if the thumbprint of the root certificate is in the Microsoft Trusted Root Certificate Program. The upcoming changes will not affect a certificate cross-signed with a Microsoft Trusted Root that chains to an enterprise/self-signed root.
SHA-1: Prone to attacks
The SHA-1 hash algorithm is no longer secure due to its many weaknesses. An attacker could spoof content, execute phishing attacks, or perform man-in-the-middle attacks when browsing the web.
Microsoft is working together with other members of the industry to phase out and raise awareness about the SHA-1 protocol. The company announced the plans to depreciate the SHA-1 in 2015.
These changes will take place in three phases, with the first two centering around the browsers.
The first phase is indicating to users that SHA-1 is less secure than SHA-2. Customers using Microsoft Edge or Internet Explorer 11 will notice that the browsers no longer display a lock icon.
The second phase will begin on February 14, 2017. Microsoft will release an update to Microsoft Edge and Internet Explorer 11 that will display an Invalid Certificate warning page.
The last phase is developing a common, OS-level experience that all applications can use to warn users about weak cryptography like SHA-1. This will take place after the February changes.