The most popular web browsers are calling time on SHA-1, the hashing algorithm for securing data, and will soon begin blocking sites that use it.
- In a blog post, Microsoft stated that the algorithm was no longer secure and allowed attackers to carry out spoofs, phishing attacks, or man-in-the-middle attacks. From February 14, Microsoft Edge and Internet Explorer 11 will no longer automatically load up a site that uses SHA-1; instead they will display a warning message to the user about this invalid certificate before they go any further.
- Google made a similar announcement, explaining that Chrome 56 will not support the outdated hashing algorithm. Chrome 56 is tipped for release in late January but Google had previously outlined these plans almost a year ago.
- Similarly, Mozilla’s Firefox will start winding down support for SHA-1 early next year as well, so expect all the major browsers to have left SHA-1 behind by spring 2017.
Once upon a time, the algorithm MD5 was the go-to hashing algorithm until it was replaced by SHA-1 as the standard. But as Google noted in its announcement last week, SHA-1 “first showed signs of weakness over eleven years ago,” so the industry shift away from the algorithm has been a long time coming.
“Enterprises are encouraged to make every effort to stop using SHA-1 certificates as soon as possible and to consult with their security team before enabling the policy,” said Andrew Whalley of Google Chrome’s security team. […]