nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Microsoft may join Mozilla and retire SHA-1 in 2016

Hands up if you don't think SHA-1 is completely past its prime? None of you? Hmm ...

By Richard Chirgwin, 5 Nov 2015

Microsoft has decided to follow Mozilla down the path to better security, bringing forward the end-of-life date for SHA-1 hashing.

SHA-1 has long been suspect, but in 2015 the ease and effectiveness of attacks against it have grown to the point where everyone with good sense is making their excuses and leaving the room.

Hashing converts sensitive data (like a password) into a string of characters using a one-way function. That way, if the hash is retrieved from a database by an attacker, they're not supposed to be able to recover the original password. When a user presents their password, the hash function is applied, and the result is compared to the hash stored in the database to see if it matches.

SHA-1 is so ancient that attacks against it are a decade old, and it's been on everybody's EOL for a few years. However, this year's relatively cheap attack (using US$75,000 worth of kit) gave a new impetus to its elimination.

In the blog post announcing the accelerated schedule, Microsoft Edge program manager Kyle Pflug says instead of January 2017, MS is considering deprecating SHA-1-signed TLS certificates in June 2016.

Since the deprecation goes way beyond the browsers (it affects code signing as well), Microsoft has published a detailed enforcement timeline here. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing