Edge cert error

Starting yesterday, via updates delivered in the May 2017 Patch Tuesday, Microsoft browsers such as Edge and Internet Explorer, have begun flagging websites as insecure if they use SSL/TLS certificates signed with the SHA-1 algorithm.

The move comes after Mozilla banned SHA-1-signed certificates in Firefox 51, and Google in Chrome 56, both browser versions released in January 2017.

SHA-1 deprecation started in the fall of 2015

The reasons why all these three major browsers banned SHA-1 was, initially, because of research published in the autumn of 2015, revealing that the financial and computational cost of breaking SHA-1 was lower than anyone thought.

That fall, browser vendors agreed on a long-term plan to deprecate SHA-1-signed certificates on the web. The first major step was taken on January 1, 2016, when they forbade publicly trusted Certificate Authorities to issue new certificates signed with the SHA-1 algorithm.

The last step in this process was in January 2017, when all browser makers agreed to distrust all SSL/TLS certificates signed with the SHA-1 algorithm. This meant that browsers would show an error when a user tried to navigate to an HTTPS site that encrypted communications using a SSL/TLS certificate signed with SHA-1

Microsoft was late to this party, but now, the company has aligned with Google and Mozilla on this stance.

Google & others broke SHA-1 in February 2017

The decision couldn't have come sooner, as, on February 23, 2017, Google and other researchers announced the first-ever SHA-1 collision attack.

For their research, Google generated two different files that had the same SHA-1 digital signature. Since SSL/TLS certificates are nothing more than files, this meant, at least in theory, that someone could create two SSL/TLS certs with the same SHA-1 hash, and impersonate legitimate sites. Fortunately, by that point, Google and Mozilla were already showing errors when accessing these types of sites.

In a security advisory that accompanied the May 2017 Patch Tuesday, Microsoft explains its decision to ban SHA-1-signed certificates in Edge and Internet Explorer, and urges website owners to migrate to using SHA-2-signed certificates.

SHA-1 is an algorithm created by NSA researchers in the 90s that has been used in the past decades to create a digital signature for files or data streams. As it became clear in the mid-2000s that someone could theoretically break SHA-1 hashes, security experts started advising that organizations use SHA-2 or stronger hashing functions to create digital signatures for sensitive files.