Microsoft Finally Bans SHA-1 Certificates In Its Browsers (zdnet.com) 38
An anonymous reader quotes ZDNet:
With this week's monthly Patch Tuesday, Microsoft has also rolled out a new policy for Edge and Internet Explorer that prevents sites that use a SHA-1-signed HTTPS certificate from loading. The move brings Microsoft's browsers in line with Chrome, which dropped support for the SHA-1 cryptographic hash function in January's stable release of Chrome 56, and Firefox's February cut-off... Apple dropped support for SHA-1 in March with macOS Sierra 10.12.4 and iOS 10.3... Once Tuesday's updates are installed, Microsoft's browsers will no longer load sites with SHA-1 signed certificates and will display an error warning highlighting a security problem with the site's certificate.
Re:well you know what they say (Score:5, Insightful)
Better 5 months late and unannounced with no industry coordination or planning than never.
Anyone with a brain knew this was going to happen and already made the transition years ago. The procrastinating and/or ignorant people caught with their pants down would not have responded to any effort at coordination, and are not capable of planning.
Re: (Score:2)
Good luck with that. Some places would label you as a troublemaker for insulting their phb who paid millions for these web apps. I left my former employer over such things as they refused to update anything and didn't want to be fired when shit hit the fan
Re: (Score:1)
https://technet.microsoft.com/... [microsoft.com]
"This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1. Enterprise or self-signed SHA-1 certificates will not be impacted,"
Re: (Score:2)
I'm not sure why that's a problem. Self signed certs already give you a warning page, so no difference there. For Enterprise certs they've been warning us for quite a while to change out our CA root certs to stop using SHA-1 and start phasing out the old certs. However, if a business hasn't done that, they're not breaking things.
Who modded this drivel up? (Score:2, Informative)
It was announced over three years ago (and they gave a year's extension):
https://technet.microsoft.com/en-us/library/security/2880823.aspx [microsoft.com]
Microsoft may be shite at a lot of things, but one thing they aren't is giving their enterprise customers long-term notice about changes like this.
Not a problem with my formal employer (Score:1)
We still use IE 6 for such sites
backwards compatability (Score:2)
I wonder if they still support ROT13 certificates.
Re: (Score:2)
There is no such thing.
Please learn the basics of cryptography. There are 2 big categories:
A: encryption schemes
B: cryptographic one-way hash
ROT13 goes in bucket A, SHA-1 goes in bucket B.
While we are on the subject, encryption schemes come in 2 flavours:
1: symmetric key encryption (same key)
2: Public key cryptography, or asymmetric cryptography
Go read a few Wikipedia pages, it's really not as hard as you would expect.
Re: (Score:3)
Your sense of humor detector is broken.
Why ban it? (Score:5, Insightful)
Re: (Score:1)
Yes, that's my point. I don't want to tell my users to run IE6 just so they can access a legacy application for absolutely no (technical) reason other than an arbitrary "security" decision by the browser developers to take away my ability to accept the risk in cases where I feel it's appropriate. It would actually be MUCH more secure for everyone involved if I could provide instructions for users to bypass the error and view the page anyway _only for specific, known, exceptions_ or better yet to be able t
Re: (Score:2)
The problem with this thinking is sites which handle payment data and other sensitive data who are refusing to upgrade. By keeping it for low risk sites, we also keep it for high risk sites to abuse as well. We have to cut it off for all sites to stop the high risk ones from using it.
TLS creates the appearance of security but high risk sites can use broken old technology with TLS and give the appearance of security when the security is terribly broken, giving the user (and even ignorant and lazy sit
huh? (Score:2)
IT department still uses SHA-1 (Score:3)
I work for a large company that has a proxy server that does MITM attacks. The certs issued by the server are SHA-1, so we haven't been able to use Chrome and Firefox for months. The funny thing is that they even recommend using Chrome for certain sites. Many of us have opened tickets on this and they just don't seem to understand that this isn't a bug in Chrome. *facepalm* I hope this finally forces them to fix it. Although I don't have high hopes. Odds are more that they will try to block the update, and if anyone winds-up with it they will be considered out-of-compliance and IT will reformat their machines.