Microsoft has finally decided to boot out websites with poor security certificates from loading in Microsoft Edge and Internet Explorer 11 browsers.
Websites carrying SHA-1 certificate will no longer be able to load or display invalid certificate warnings in Microsoft Edge and Internet Explorer 11 browsers.
Last week, Google decided to make the Chrome web browser even more secure to access by introducing new alerts to warn users whenever they visit sites lacking HTTPS certificates. Websites carrying HTTP certificate or Secure Hash Algorithm (SHA-1) are not as secure as the ones carrying latest HTTPS security certificates.
Google intends to force all websites sporting medeival security certificates to transition to SHA-2 which is the modern security standard and is supported by all browsers. Google Chrome is now marking non-HTTP sites a 'Not Secure' as soon as users start typing on such sites. Google is aiming to eventually mark all non-HTTPS pages as 'Not Secure' in red which will be more noticeable by visitors compared to the small 'i' logo which appears on the address line at present.
However, while Google is only displaying alerts, Microsoft has decided to completely do away with such websites for good. "Beginning May 9, 2017, Microsoft released updates to Microsoft Edge and Internet Explorer 11 to block sites that are protected with a SHA-1 certificate from loading and to display an invalid certificate warning. This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1," the company revealed.
"Enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend that all customers quickly migrate to SHA-2 based certificates.
"The root cause of the problem is a known weakness of the SHA-1 hashing algorithm that exposes it to collision attacks. Such attacks could allow an attacker to generate additional certificates that have the same digital signature as an original. The use of SHA-1 certificates for specific purposes that require resistance against these attacks is discouraged. At Microsoft, the Security Development Lifecycle has required Microsoft to no longer use the SHA-1 hashing algorithm as a default in Microsoft software," the company added.
"This is a very positive step from Microsoft and it will definitely improve the security of the Internet -- both Google and Mozilla started blocking websites that use SHA-1 back in February. It's well within reach of nation states and sophisticated adversaries to compromise SHA-1 certificates. In fact, more than a decade ago NIST called for the elimination of SHA-1 because of known vulnerabilities," says Kevin Bocek, chief cybersecurity strategist at Venafi.
Venafi, a leading cybersecurity company, analysed data on over 33 million publicly visible IPv4 websites using Venafi TrustNet™, a proprietary database and real-time certificate intelligence service back in February. This research discovered that over 1 in 5 certificates for unique IP addresses were still using SHA-1 as the signature hash algorithm.
"Businesses were struggling to remediate SHA-1 still even before Microsoft’s announcement because they lack visibility to know where SHA-1 certificates are on their networks, and they don’t have the automation to replace them quickly," Bocek added.