Microsoft sets Feb 2017 date to kill last SHA-1 zombies

But you've already removed it from your servers, haven't you?

Microsoft has posted the next step in its deprecation of SHA-1 certificates, but they'll survive for nearly another year.

Back in November, Redmond was mulling joining Firefox in a death-to-SHA-1 party during 2016, but its latest missive sets a February 2017 sunset.

At that date, Microsoft's Edge Team writes, both Edge and Internet Explorer will block SHA-1 signed TLS certificates.

Before then – starting with the Windows 10 Anniversary Update (I'm going to P-A-R-T-Why? Because there's a big Windows update in the works!) – the two browsers will quit showing the lock icon for SHA-1-signed TLS certificates.

Edge on Windows 10, and IE on everything after Windows 7, will get the update, which will apply to certificates that “chain to a CA in the Microsoft Trusted Root Certificate program”, the post states.

In the meantime, to help gather data about daredevil sysadmins that have zombie SHA-1 certs shambling around yelling for brains, sysadmins can log their use of SHA-1.

After creating an appropriate directory, the following commands turn on the logs:

Certutil -setreg chain\WeakSignatureLogDir %LogDir% Certutil -setreg chain\WeakSha1ThirdPartyFlags 0x80900008

February 2017 is also the end-of-life date for anyone using SHA-1 code signing, as Microsoft announced here.

Windows 7 and higher, and Windows Server, will not trust code signed with an SHA-1 certificate time-stamped later than 00:00 UTC on February 14 2017. ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019