Microsoft to Stop Honoring SHA1 Certificates for SSL and Code Signing
The US National Institute of Standards and Technology has recommended that SHA1 no longer be trusted past January of 2014. But with 98% of certificates issued world-wide being based on that standard an immediate change is no feasible. So Microsoft is giving websites until January first of 2017 to replace their SSL certificates with a more secure version.
Application vendors that need to sign their code are also affected. They only have until January first of 2016 to acquire new code signing certificates. “SHA1 code signing certificates that are time stamped before 1 January 2016 will be accepted until such time when Microsoft decides SHA1 is vulnerable to pre-image attack.”
These polices are subject to review in the middle of 2015. Two key factors that may affect Microsoft’s timelines are:
whether SHA1 is still considered resistant to pre-image attacks by the security community, and
whether a significant portion of the ecosystem is not capable of switching to SHA2. Third party legacy systems and embedded devices that cannot be upgraded to SHA2 may be particularly susceptible. We will continue to gather data on this portion of the ecosystem.
As currently written the SHA1 Deprecation Policy will apply to Windows Vista, Windows Server 2008, and later operating systems. Those still running Windows XP will need at least Service Pack 3 in order to use SHA2. Windows Server 2003 Service Pack 2 also supports SHA2.
Todd Montgomery Dec 19, 2014