SHA-1 certificates are finally obsolete

Microsoft has announced that it is finally banning use of SHA-1 certificates in Microsoft Edge and Internet explorer. The browsers will flag websites as unsafe if they use SSL/TLS certificates signed with SHA-1hashing algorithm. Microsoft is the last major browsing vendor to do so.

A hash function like SHA-1 is used to calculate an alphanumeric string that serves as the cryptographic representation of a file or a piece of data. This is called a digest and can serve as a digital signature. It is supposed to be unique and non-reversible.

The SHA-1 {Secure Hashing Algorithm) is an algorithm that is more than two decades old. It was created by the NSA in 1995 and was used to make digital signatures for secure documents and data streams. It has been known since 2005 that it is theoretically possible to break down the SHA-1 certificate and the US National Institute of Standards banned the use of SHA-1 certificates in Federal agencies since 2010.

In 2015 it was found that it was much easier to break down the SHA-1 certificate than previously thought. The certificates were only files, so theoretically it was possible to create two files with the same SHA-1 hash and thus impersonating a legitimate website. The website vendors came to a resolution to phase out such certificates and urged websites to use the longer and more secure SHA-2 algorithm to create certificates.

Since early 2016 Google and Mozilla have flagged of certificate containing SHA-1 algorithm created after 2016 forcing them to use SHA-2 hashing function. They completely banned the use of SHA-1 certificates in February this year. Considering them, Microsoft seems to be a little late in catching on.