Web Encryption: Microsoft Cuts Off SHA-1 Sites In Internet Explorer, Edge Browsers

Microsoft announced this week it no longer will support the SHA-1 hashing function used to encrypt information in its Internet Explorer and Edge web browsers.

Going forward, websites that are signed with a SHA-1 or SSL certification will be blocked from loading. The browser will display a warning about the website using an invalid certificate and advise users not to share sensitive information with the site.

Read: Microsoft Defender Bug: How To Check If Windows Defender Is Up To Date

The decision was buried in a list of updates and patches released by the company this week, including an emergency patch that fixed an exploit in Windows Defender that allowed an attacker to remotely execute malicious code through the anti-malware program.

Microsoft will pull support for the hashing function immediately in both Edge and Internet Explorer, which brings the browsers up to speed with other browsers like Google Chrome and Firefox, which already had started the process of phasing out support for websites utilizing SHA-1 certificates.

The move was inevitable, as SHA-1 has been considered obsolete by security experts for several years. Earlier this year, Google was able to successfully execute a collision attack on SHA-1 that effectively cracked the encryption algorithm, proving its vulnerability.

The hashing function used to encrypt information generates a random string of characters that act as a digital fingerprint for plaintext information while making sure no one except the intended recipient is able to access the information. It was commonly used for login systems, which need to verify a password is correct without exposing the password.

Read: What Is SHA-1? Google Cracked A Fundamental Part Of Web Encryption

Because it’s very unlikely for hash values ever to be identical, it’s easy for a system to verify a hash value. But Google was able to create a collision, in which two different files produced the exact same hash value, enabling an attacker to distribute malicious files that share the same hash as a legitimate file.

Google’s attack took a considerable amount of computing power. It required 9 quintillion SHA-1 computations in total, which required 6,500 years of CPU computation and 110 years of GPU computation to complete.

A small-time attacker is not likely to have access to those kinds of resources, but it is conceivable that a malicious actor or organization could harness similar amounts of computing power to create such a collision, to devastating effect.

For example, a collision attack launched in 2012 against the MD5 algorithm utilized state-sponsored malware known as Flame and was able to forge a Windows code-signing certificate and distribute itself through patches to millions of users.

SHA-1 has now been proved vulnerable to a similar type of attack. While the collision that Google produced is less devastating than the one used by Flame, it is enough for cryptographers to deem the hash function unsafe.

The move away from SHA-1 by many secure sites started in 2014. At the time, more than 90 percent of web encryption was still using the SHA-1 hashing function.