Beginning February 14th, 2017, the Microsoft Edge browser and Internet Explorer 11 (IE11) will start blocking websites with a SHA-1 certificate. The browsers will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Users will have the option to ignore the error and continue to the website, although that is strongly discouraged. In recent years, there have been a lot of attacks on encryption and weak ciphers. As these attacks become more prominent, website owners are encouraged to upgrade their certificates to stronger ciphers. You can read Configure IIS for SSL/TLS Protocol Cipher Best Practices or HTTP/2, HTTPS, Let’s Encrypt, NGINX and WordPress Hardening for more information.
The SHA-1 hash algorithm is no longer secure. Weaknesses in SHA-1 could allow an attacker to spoof content, execute phishing attacks, or perform man-in-the-middle attacks when browsing the web. This will only impact SHA-1 certificates that chain to a Microsoft Trusted Root CA. Manually-installed enterprise or self-signed SHA-1 certificates will not be impacted, although it is recommended for admins to migrate to SHA-256 as soon as possible.
- In 2015, Google Chrome blocked SSLv3.
- Firefox has blocked weak DHE ciphers since v39. Firefox is currently on v50.
How To Test Your Site
You can see if your site will be affected by installing the latest November 2016 Windows Updates, including the November 2016 Preview of Monthly Quality Rollups for Windows 7/Windows 8.1.
You can test by running the following commands from an Administrator Command Prompt:
First, create a logging directory and grant universal access:
icacls %LogDir% /grant *S-1-15-2-1:(OI)(CI)(F)
icacls %LogDir% /grant *S-1-1-0:(OI)(CI)(F)
icacls %LogDir% /grant *S-1-5-12:(OI)(CI)(F)
icacls %LogDir% /setintegritylevel L
Next, enable certificate logging and SHA-1 blocking:
Certutil -setreg chain\WeakSignatureLogDir %LogDir%
Certutil -setreg chain\WeakSha1ThirdPartyFlags 0x80040004
Important: Use the following commands to remove the settings after you have completed your testing.
Certutil -delreg chain\WeakSha1ThirdPartyFlags
Certutil -delreg chain\WeakSignatureLogDir