April 29, 2016 10:00 am

An update to our SHA-1 deprecation roadmap

In November, we shared a SHA-1 Deprecation Update with some early details on our schedule for blocking SHA-1 signed TLS certificates. Today we would like to share some more details to share on how this will be rolled out.

Starting with the Windows 10 Anniversary Update, Microsoft Edge and Internet Explorer will no longer consider websites protected with a SHA-1 certificate as secure and will remove the address bar lock icon for these sites. These sites will continue to work, but will not be considered secure. This change will be in upcoming Windows Insider Preview builds soon, and will be deployed broadly this summer. In mid-2017, both Microsoft Edge and Internet Explorer will block SHA-1 signed TLS certificates.

This update will be delivered to Microsoft Edge on Windows 10 and Internet Explorer 11 on Windows 7, Windows 8.1 and Windows 10, and will only impact certificates that chain to a CA in the Microsoft Trusted Root Certificate program. Both Microsoft Edge and Internet Explorer 11 will provide additional details in the F12 Developer Tools console to assist site administrators and developers.

Additional information on Microsoft’s overall SHA-1 deprecation plans can be found on TechNet.

Test blocking of SHA-1 TLS Certificates

You can enable logging your use of SHA1 certificates by typing the following commands into an Administrator Command Prompt. The following command does not block the use of SHA1 TLS certificates; however, it will log the certificate to the provided directory.

First Create a logging directory and grant universal access:

set LogDir=C:\Log
mkdir %LogDir%
icacls %LogDir% /grant *S-1-15-2-1:(OI)(CI)(F) 
icacls %LogDir% /grant *S-1-1-0:(OI)(CI)(F)
icacls %LogDir% /grant *S-1-5-12:(OI)(CI)(F)
icacls %LogDir% /setintegritylevel L

Enable certificate logging

Certutil -setreg chain\WeakSignatureLogDir %LogDir%
Certutil -setreg chain\WeakSha1ThirdPartyFlags 0x80900008

Use the following command to remove the settings after you have completed your testing.

Certutil -delreg chain\WeakSha1ThirdPartyFlags
Certutil -delreg chain\WeakSignatureLogDir

Additional information on these commands and other protections against weak crypto can be found here: Protecting Against Weak Cryptographic Algorithms.

– Alec Oot, Senior Program Manager
– Mike Stephens, Senior Program Manager

Update as of 7/24/2016:

The above changes to the lock icon for SHA-1 protected sites are now available on all supported versions of Microsoft Edge and Internet Explorer 11. These changes are included in the following updates:

Updated February 22, 2017 9:51 pm

Join the conversation

  1. When you say “will not be considered secure” does that mean that a HTTPS site that references JavaScript from a HTTPS URL bearing a SHA1 certificate will find those scripts blocked by a mixed-content prompt?

    Is the “Not-secure, used SHA-1” marker stored in the cache, such that proper UX markings occur when a page is reloaded from the cache without hitting the server?

    Has anything changed for Authenticode? SHA-1 file digests were broken in a recent Insider Build, but that may have been accidental?

  2. Thanks Eric – The changes going live this summer will not change trigger a mixed content warning and only impact the address bar lock icon and F12 console.

    When loading cached content, we will remove the lock icon for pages that were delivered over a connection protected with a SHA-1 certificate.

    No changes to Authenticode here. There was an issue in a recent Windows Insider build, but this has since been addressed.

  3. Can you be more specific than “will be deployed broadly this summer?” It would be good to get the message out to web server operators and provide a deadline.

    Thanks, Bruce.

    • We are targeting to bring this update to in-market versions of Microsoft Edge and Internet Explorer 11 as part of the regularly-scheduled July 12th Update Tuesday release

  4. Block or Untrust? Or both?
    In this article, you wrote “In February 2017, both Microsoft Edge and Internet Explorer will block SHA-1 signed TLS certificates.”
    And at a technet article ( https://aka.ms/sha1 ) Jody wrote “Server-Authentication Certificates: … Effective February 14, 2017, Windows will no longer trust certificates signed with SHA-1 after 2/14/2017”
    Which one is correct?

    • Starting in February 2017, sites that are loaded over SHA-1 will behave as other untrusted certificates (e.g. self-signed, expired) are today and will be blocked from loading.

      • Hi Alec,
        When you say that SHA-1 sites “will be blocked from loading”, does that mean a hard block with no way around it, or will the user have the option to click past the warnings and eventually get to the site?
        Thank you.

        • Hi Mark – We will include the option to click past the warnings in the same way that we do for other ignorable certificate errors (self-signed, expired)

          • Hi @Alec Oot,
            Do you have a date when it will be included?

  5. What happens to communication of product that using Server Client Self-Sign (which functions properly today) ?

    Will the communication stop functioning after SHA1 support will be removed?

    Thanks.
    B.

  6. I read how the 3rd world and much of technology that exists today will be greatly effected by SHA1 deprecation. The whole argument about a computer can figure out the SHA1 cert and spoof it, seems easily countered by replacing the SHA1 with another SHA1 cert frequently. Star Trek NG dealt with the Borg’s withering attacks by altering the frequency of the Enterprise’s shields. The Borg’s next attack countered the first shield change, but Data began changing the shield frequency quickly and again stopped the Borg’s attack. We have gotten adept at changing out the certs annually or semiannually; so just make cert changes daily by scripts.

  7. I would like some clarity on the below:
    and will only impact certificates that chain to a CA in the Microsoft Trusted Root Certificate program

    Does that mean if you are using a sha1 certificate from a different party it will continue to work or will it be treated as untrusted as well?

    How will older versions of IE be impacted?

    • There should be no impact for roots that you have trusted that that are not included in Microsoft Trusted Root Program (such as self-signed that you’ve chosen to trust).

  8. According to the post above, after the July 12th 2016 patch release, the lock bar icon should no longer be present.

    KB3160005 (Version 11.3.32) has been installed on our machines, but the lock icon is still present for SHA1 sites. We have put a lot of effort into notifying our clients of the upcoming change. Had there been any changes to the sha1 deprecation timeline?

    Can you also clarify what “in-market” versions means exactly?

    • Hi David,

      If you install the latest Windows 10 Cumulative Update (KB3163912 for Windows 10 RTM, and KB3172985 for Windows 10 Version 1511) you should see the behavior changes described above.

      For Win7, and Win8.1, you will need to install the latest Internet Explorer Cumulative Update (KB3170106) AND the latest Windows rollup update. The Windows rollups are currently offered as Optional updates on Windows Update:
      July 2016 update rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1 (KB3172605)
      July 2016 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (KB3172614)

  9. In the article you state “and will only impact certificates that chain to a CA in the Microsoft Trusted Root Certificate program.” Since local trust stores can be configured to chain to self-signed Root CAs that are not directly in the MSFT root program (e.g. DoD Root CA 2) but may be also be configured to use cross certificates to chain to a root that is (e.g. US Federal Bridge CA), will the trust model chosen affect the ‘lock’ icon in IE?

    • Windows will only check if the thumbprint of the root certificate is in the Microsoft Trusted Root Certificate Program. A cross-certificate signed with for a Microsoft Trusted Root that chains to your own root (DoD Root CA2) would not be impacted by the changes announced here.

  10. After applying KB3172605 several websites that use TLS 1.0 and SHA-1 would not display in IE11. These sites run in enterprise mode. Fortunately we only hit 10% of the fleet before catching the issue. We suspended deployment and are now uninstalling KB3172605 from those affected devices until we can find another work-around.

    • Hi Tom – Can you elaborate on the error that you see? Did the site not load in the mode specified in your Enterprise Mode Site List, or was there a connection error (i.e. the TLS error page was shown (This page can’t be displayed)? Did you install the June Windows 7 update rollup (KB3161608) last month and encounter any of the same problem?

      If you haven’t done so already, I’d recommend that you either directly reach out to Microsoft support, or post on https://answers.microsoft.com to look deeper into this.

      • Alec, we get the “This page can’t be displayed” error (res://ieframe.dll/dnserror.htm).
        We never actually deployed the June patch so I can’t speak to that. I want to submit a ticket to premiere support on this issue but honestly it will be difficult to carve out time to do so.

        • Tom, were you able to get this resolved? We are seeing the same issue on some sites in Internet Explorer after KB3172605 is applied.

  11. Hello,

    is this also for the automatically generated RDP certifications ?
    These are still SHA1 and the Security Scanner identifies this as risk, we can’t order thousands of certificates. The automatically generated RDP certificate should not use SHA1 anymore. Please provide a fix or something like that change RDP from SHA1 to SHA256 automatically.

    Thank you

  12. May I know what happens to RDP certificates that are self signed? Do we need to update to SHA2 or SHA1 is still secure when it comes to RDP? It currently shows as a vulnerability on Nessus scan. Kindly enlighten me on this.