{"id":8742,"date":"2015-11-09T10:41:44","date_gmt":"2015-11-09T14:41:44","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=8742"},"modified":"2015-11-09T10:41:44","modified_gmt":"2015-11-09T14:41:44","slug":"microsoft-may-block-sha1-certificates-sooner-than-expected","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2015\/11\/09\/microsoft-may-block-sha1-certificates-sooner-than-expected\/","title":{"rendered":"Microsoft may block SHA1 certificates sooner than expected"},"content":{"rendered":"<div class=\"topContent container\">\n<div class=\"row\">\n<div class=\"row\">\n<div class=\"col-12\">\n<header class=\"storyHeader article\">\n<div class=\"byline\">\n<p class=\"meta\"><strong>Encrypted sites running old certificates will be inaccessible from modern browsers.<\/strong><\/p>\n<p class=\"meta\">By <a href=\"http:\/\/www.zdnet.com\/meet-the-team\/us\/zack-whittaker\/\" target=\"_blank\" rel=\"author\">Zack Whittaker<\/a> for <a href=\"http:\/\/www.zdnet.com\/blog\/security\/\" target=\"_blank\">Zero Day<\/a><\/p>\n<\/div>\n<\/header>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div id=\"mantle_skin\">\n<section class=\"leader leader-top\"><\/section>\n<div class=\"hpto\"><\/div>\n<div class=\"contentWrapper \">\n<div class=\"container \">\n<div class=\"row\">\n<div class=\"row\">\n<div class=\"col-12\">\n<div class=\"row\">\n<div class=\"row\">\n<div class=\"col-12\">\n<div class=\"row\">\n<div class=\"col-8\">\n<article>\n<div class=\"shareBar\">While about one-in-four encrypted websites are still using weak security certificates, Microsoft is considering taking matters into its own hands.<\/div>\n<div class=\"storyBody\">\n<p>With the possibility of an attack becoming ever more possible, the software giant <a href=\"http:\/\/blogs.windows.com\/msedgedev\/2015\/11\/04\/sha-1-deprecation-update\/\" target=\"_blank\">said in a blog post<\/a> that it may consider moving up its deadline of deprecating old SHA1-based security certificates to June 2016.<\/p>\n<p>That means sites running old certificates will be inaccessible, or difficult to access, from modern browsers.<\/p>\n<p>Kyle Pflug, a program manager on Microsoft&#8217;s Edge browser team, said the software giant &#8220;will continue to coordinate with other browser vendors to evaluate the impact of this timeline based on telemetry and current projections for feasibility of SHA1 collisions.&#8221;<\/p>\n<p>Fellow browser maker Mozilla <a href=\"https:\/\/blog.mozilla.org\/security\/2015\/10\/20\/continuing-to-phase-out-sha-1-certificates\/\" target=\"_blank\">said last month<\/a> that it may also deprecate support for older SHA1-based certificates as of July 2016.<\/p>\n<p>The reason companies are getting increasingly concerned about the state of the cryptographic algorithm, which has been widely used across the encrypted web for years, is because some fear it could be cracked by the end of the year. That would essentially <a href=\"http:\/\/www.zdnet.com\/article\/just-how-many-websites-are-vulnerable-because-of-sha-1\/\" target=\"_blank\">make the algorithm useless<\/a>, weakening security for millions of users.<\/p>\n<p>Research published last month said a well-resourced attacker, such as an intelligence agency, could successfully create an SHA1 collision attack by the end of the year. That would mean a country like the US, Russia, or China &#8212; or even a well-funded hacker &#8212; could impersonate seemingly secure websites.<\/p>\n<section class=\"sharethrough-top\">\n<div id=\"sharethrough-top-5640a07fcea34\" class=\"ad-sharethrough-top\"><\/div>\n<\/section>\n<p>Researchers previously believed that an SHA1 collision was at least two years away.<\/p>\n<p>The good news is that SHA2, the newer and far stronger cryptographic algorithm, <a href=\"http:\/\/www.zdnet.com\/article\/as-sha1-winds-down-sha2-leap-will-leave-millions-stranded\/\">makes up about 75 percent<\/a> of the encrypted web, and that figure is growing every month.<\/p>\n<p>Certificate authorities said they will respond by no longer issuing SHA1 certificates from 2016, opting instead for SHA2 certificates.<\/p>\n<p>However, many of those in developing nations who are running older software and devices &#8212; including the candy-bar cellphones that have basic mobile internet &#8212; will <a href=\"http:\/\/www.zdnet.com\/article\/as-sha1-winds-down-sha2-leap-will-leave-millions-stranded\/\">face a brick wall<\/a>, because their browser or device will be unable to read the new, more secure certificates.<\/p>\n<p>&#8220;We&#8217;re about to leave a whole chunk of the internet in the past,&#8221; said CloudFlare chief executive Matthew Prince.<\/p>\n<\/div>\n<\/article>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Encrypted sites running old certificates will be inaccessible from modern browsers. By Zack Whittaker for Zero Day While about one-in-four [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[5,7,9,11],"tags":[948,968,1199],"class_list":["post-8742","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","category-software","category-windows","tag-secuirty-certificates","tag-sha1","tag-websites"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-2h0","jetpack-related-posts":[{"id":7954,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/04\/03\/firefox-37-supports-easier-encryption-option-than-https\/","url_meta":{"origin":8742,"position":0},"title":"Firefox 37 supports easier encryption option than HTTPS","author":"NCCT","date":"April 3, 2015","format":false,"excerpt":"The latest version of Firefox has a new security feature that aims to put a band-aid over unencrypted website connections. Firefox 37 rolled out earlier this week with support for opportunistic encryption, or OE. You can consider OE sort of halfway point between no encryption (known as clear text) and\u2026","rel":"","context":"In &quot;Software&quot;","block_context":{"text":"Software","link":"https:\/\/nccomputertech.com\/techtalk\/category\/software\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7965,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/04\/02\/google-chrome-will-banish-chinese-certificate-authority-for-breach-of-trust-updated\/","url_meta":{"origin":8742,"position":1},"title":"Google Chrome will banish Chinese certificate authority for breach of trust [Updated]","author":"NCCT","date":"April 2, 2015","format":false,"excerpt":"Google's Chrome browser will stop trusting all digital certificates issued by the China Internet Network Information Center following a major trust breach last week that led to the issuance of unauthorized credentials for Gmail and several other Google domains. The move could have major consequences for huge numbers of Internet\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/04\/handcuffs-640x301.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/04\/handcuffs-640x301.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/04\/handcuffs-640x301.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":5958,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/10\/crypto-certificates-impersonating-google-and-yahoo-pose-threat-to-windows-users\/","url_meta":{"origin":8742,"position":2},"title":"Crypto certificates impersonating Google and Yahoo pose threat to Windows users","author":"NCCT","date":"July 10, 2014","format":false,"excerpt":"People using Internet Explorer and possibly other Windows applications could be at risk of attacks that abuse counterfeit encryption certificates recently discovered masquerading as legitimate credentials for Google, Yahoo, and possibly an unlimited number of other Internet properties. A blog post published Tuesday by Google security engineer Adam Langley said\u2026","rel":"","context":"In &quot;Microsoft&quot;","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/07\/disguise-kit-640x728.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/07\/disguise-kit-640x728.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/07\/disguise-kit-640x728.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":6128,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/08\/05\/mozilla-warns-of-leaky-developer-network-database\/","url_meta":{"origin":8742,"position":3},"title":"Mozilla warns of leaky developer network database","author":"NCCT","date":"August 5, 2014","format":false,"excerpt":"Mozilla\u2019s website for developers leaked email addresses and encrypted passwords of registered users for about a month due to a database error, the organization said Friday. Email addresses for 76,000 Mozilla Development Network (MDN) users were exposed, along with around 4,000 encrypted passwords, wrote Stormy Peters, director of development relations,\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5625,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/05\/29\/truecrypt-is-not-secure-official-sourceforge-page-abruptly-warns\/","url_meta":{"origin":8742,"position":4},"title":"\u201cTrueCrypt is not secure,\u201d official SourceForge page abruptly warns","author":"NCCT","date":"May 29, 2014","format":false,"excerpt":"One of the official webpages for the widely used TrueCrypt encryption program says that development has abruptly ended and warns users of the decade-old tool that it isn't safe to use. \"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues,\" text in red at the top\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8935,"url":"https:\/\/nccomputertech.com\/techtalk\/2016\/05\/31\/myspace-hack-puts-at-least-360-million-users-at-risk\/","url_meta":{"origin":8742,"position":5},"title":"Myspace hack puts at least 360 million users at risk","author":"NCCT","date":"May 31, 2016","format":false,"excerpt":"By Shawn Knight | TechSpot Time Inc., which recently acquired pioneering social network Myspace, has confirmed reports that the site was hacked. Like the Tumblr breach that we reported on yesterday, the compromised Myspace data dates back several years. Time said earlier today that it first became aware shortly before\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/8742","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=8742"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/8742\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=8742"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=8742"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=8742"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}