Microsoft update to Microsoft Edge and Internet Explorer 11 blocks access to sites using SHA-1 SSL-TLS Certificates

Beginning May 9, 2017, Microsoft released updates to Microsoft Edge and Internet Explorer 11 to block sites that are protected with a SHA-1 certificate from loading and to display an invalid certificate warning.

Threat ID:: CC-1402
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 10 May 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Affected platforms

The following platforms are known to be affected:

Internet Explorer

Microsoft Edge and Internet Explorer 11 accessing websites with a SHA-1 certificate.

Threat details

This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1. Enterprise or self-signed SHA-1 certificates will not be impacted, although Microsoft recommend that all customers quickly migrate to SHA-2 based certificates. For more information, please see Windows Enforcement of SHA1 Certificates.

For more information see Microsoft Knowledge Base Article 4010323.

Remediation steps

Type	Step
	Review Microsoft Trusted Root Program Policy Changes Windows Enforcement of SHA1 Certificates. Update Certificates from SHA-1 to SHA-2: Certificate authorities have been prohibited from issuing new SHA-1 certificates Since January 2016. Customers should ensure that their certificate authorities are using the SHA-2 hashing algorithm to obtain SHA-2 certificates from their certificate authorities. To sign code with SHA-2 certificates, see the guidance on this topic at Windows Enforcement of SHA1 Certificates Keep all operating systems and applications up to date with the latest security updates.

Type

Step

Review Microsoft Trusted Root Program Policy Changes Windows Enforcement of SHA1 Certificates.
Update Certificates from SHA-1 to SHA-2: Certificate authorities have been prohibited from issuing new SHA-1 certificates Since January 2016. Customers should ensure that their certificate authorities are using the SHA-2 hashing algorithm to obtain SHA-2 certificates from their certificate authorities. To sign code with SHA-2 certificates, see the guidance on this topic at
Windows Enforcement of SHA1 Certificates
Keep all operating systems and applications up to date with the latest security updates.

Last edited: 17 February 2020 11:35 am