Please create an account to participate in the Slashdot moderation system


Forgot your password?
Microsoft Security

Microsoft Finally Bans SHA-1 Certificates In Its Browsers ( 38

An anonymous reader quotes ZDNet: With this week's monthly Patch Tuesday, Microsoft has also rolled out a new policy for Edge and Internet Explorer that prevents sites that use a SHA-1-signed HTTPS certificate from loading. The move brings Microsoft's browsers in line with Chrome, which dropped support for the SHA-1 cryptographic hash function in January's stable release of Chrome 56, and Firefox's February cut-off... Apple dropped support for SHA-1 in March with macOS Sierra 10.12.4 and iOS 10.3... Once Tuesday's updates are installed, Microsoft's browsers will no longer load sites with SHA-1 signed certificates and will display an error warning highlighting a security problem with the site's certificate.
This discussion has been archived. No new comments can be posted.

Microsoft Finally Bans SHA-1 Certificates In Its Browsers

Comments Filter:
  • We still use IE 6 for such sites

  • I wonder if they still support ROT13 certificates.

    • by Lennie ( 16154 )

      There is no such thing.

      Please learn the basics of cryptography. There are 2 big categories:

      A: encryption schemes

      B: cryptographic one-way hash

      ROT13 goes in bucket A, SHA-1 goes in bucket B.

      While we are on the subject, encryption schemes come in 2 flavours:

      1: symmetric key encryption (same key)

      2: Public key cryptography, or asymmetric cryptography

      Go read a few Wikipedia pages, it's really not as hard as you would expect.

  • Why ban it? (Score:5, Insightful)

    by Zorpheus ( 857617 ) on Saturday May 13, 2017 @06:53PM (#54412031)
    It is no secure encryption, so it is just as insecure as an unencrypted site. But since it is banned we can't even view these sites anymore. That makes no sense. There should just be a warning, similar to what you get for an untrusted certificate.
    • The problem with this thinking is sites which handle payment data and other sensitive data who are refusing to upgrade. By keeping it for low risk sites, we also keep it for high risk sites to abuse as well. We have to cut it off for all sites to stop the high risk ones from using it.

      TLS creates the appearance of security but high risk sites can use broken old technology with TLS and give the appearance of security when the security is terribly broken, giving the user (and even ignorant and lazy sit

  • Does Edge work as a browser yet?
  • by MobyDisk ( 75490 ) on Sunday May 14, 2017 @08:50AM (#54413565) Homepage

    I work for a large company that has a proxy server that does MITM attacks. The certs issued by the server are SHA-1, so we haven't been able to use Chrome and Firefox for months. The funny thing is that they even recommend using Chrome for certain sites. Many of us have opened tickets on this and they just don't seem to understand that this isn't a bug in Chrome. *facepalm* I hope this finally forces them to fix it. Although I don't have high hopes. Odds are more that they will try to block the update, and if anyone winds-up with it they will be considered out-of-compliance and IT will reformat their machines.

IN MY OPINION anyone interested in improving himself should not rule out becoming pure energy. -- Jack Handley, The New Mexican, 1988.