Ricardo Santos

In February 2017, both Microsoft Edge and Internet Explorer will block SHA-1 signed TLS certificates

Discussion created by Ricardo Santos on Apr 30, 2016
Latest reply on May 6, 2016 by Rob Moss

Thoughts about the impact?

 

An update to our SHA-1 deprecation roadmap | Microsoft Edge Dev Blog

APRIL 29, 2016 10:00 AM

An update to our SHA-1 deprecation roadmap

By Microsoft Edge Team

SHARE TWEET SHARE SKYPE

In November, we shared a SHA-1 Deprecation Update with some early details on our schedule for blocking SHA-1 signed TLS certificates. Today we would like to share some more details to share on how this will be rolled out.

Starting with the Windows 10 Anniversary Update, Microsoft Edge and Internet Explorer will no longer consider websites protected with a SHA-1 certificate as secure and will remove the address bar lock icon for these sites. These sites will continue to work, but will not be considered secure. This change will be in upcoming Windows Insider Preview builds soon, and will be deployed broadly this summer. In February 2017, both Microsoft Edge and Internet Explorer will block SHA-1 signed TLS certificates.

This update will be delivered to Microsoft Edge on Windows 10 and Internet Explorer 11 on Windows 7, Windows 8.1 and Windows 10, and will only impact certificates that chain to a CA in the Microsoft Trusted Root Certificate program. Both Microsoft Edge and Internet Explorer 11 will provide additional details in the F12 Developer Tools console to assist site administrators and developers.

Additional information on Microsoft’s overall SHA-1 deprecation plans can be found on TechNet.

Test blocking of SHA-1 TLS Certificates

You can enable logging your use of SHA1 certificates by typing the following commands into an Administrator Command Prompt. The following command does not block the use of SHA1 TLS certificates; however, it will log the certificate to the provided directory.

First Create a logging directory and grant universal access:

set LogDir=C:\Log mkdir %LogDir% icacls %LogDir% /grant *S-1-15-2-1:(OI)(CI)(F) icacls %LogDir% /grant *S-1-1-0:(OI)(CI)(F) icacls %LogDir% /grant *S-1-5-12:(OI)(CI)(F) icacls %LogDir% /setintegritylevel L

Enable certificate logging

Certutil -setreg chain\WeakSignatureLogDir %LogDir% Certutil -setreg chain\WeakSha1ThirdPartyFlags 0x80900008

Use the following command to remove the settings after you have completed your testing.

Certutil -delreg chain\WeakSha1ThirdPartyFlags
Certutil -delreg chain\WeakSignatureLogDir

Additional information on these commands and other protections against weak crypto can be found here: Protecting Against Weak Cryptographic Algorithms.

– Alec Oot, Senior Program Manager
– Mike Stephens, Senior Program Manager

UPDATED APRIL 29, 2016 10:15 AM

Outcomes