IE and Edge will show warning for sites with sha-1 hashing from February
Microsoft’s Internet Explorer and Edge browsers will start showing a warning from February 14 next year if sites are protected with a sha-1 certificate. Users can still access the site after a warning.
On Valentine’s Day next year, both browsers will receive an update, giving users a warning that the site may be unsafe when accessing a site that uses a sha-1 certificate. It clearly states that Microsoft advises against visiting the site, but the site remains accessible for the time being. With this, the American company follows the line of other browser builders, who have now also started issuing warnings on sites with sha-1 hashing. Certificate authorities are now only allowed to issue sha-2 certificates.
At a later date, the Redmond software maker wants to build in that Windows will also warn its users outside the browser if software uses sha-1 when hashing. When that will be exactly, Microsoft is not yet saying. It does make it clear that it monitors attacks on sha-1 hashing to determine how quickly that should happen.
The security issues with sha-1 certificates have been known for some time, but are now relevant because it has become increasingly cheaper to attack the certificate. By means of collision or collisions it is possible to have a false certificate take the place of a legitimate certificate. As a result, the security of a connection can no longer be guaranteed.