BT
x Your opinion matters! Please fill in the InfoQ Survey about your reading habits!

Microsoft to Stop Honoring SHA1 Certificates for SSL and Code Signing

by Jonathan Allen on Nov 20, 2013 |

The US National Institute of Standards and Technology has recommended that SHA1 no longer be trusted past January of 2014. But with 98% of certificates issued world-wide being based on that standard an immediate change is no feasible. So Microsoft is giving websites until January first of 2017 to replace their SSL certificates with a more secure version.

Application vendors that need to sign their code are also affected. They only have until January first of 2016 to acquire new code signing certificates. “SHA1 code signing certificates that are time stamped before 1 January 2016 will be accepted until such time when Microsoft decides SHA1 is vulnerable to pre-image attack.”

These polices are subject to review in the middle of 2015. Two key factors that may affect Microsoft’s timelines are:

whether SHA1 is still considered resistant to pre-image attacks by the security community, and

whether a significant portion of the ecosystem is not capable of switching to SHA2. Third party legacy systems and embedded devices that cannot be upgraded to SHA2 may be particularly susceptible. We will continue to gather data on this portion of the ecosystem.

As currently written the SHA1 Deprecation Policy will apply to Windows Vista, Windows Server 2008, and later operating systems. Those still running Windows XP will need at least Service Pack 3 in order to use SHA2. Windows Server 2003 Service Pack 2 also supports SHA2.

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT