Security: Microsoft is finally switching completely to SHA-2 signature

From May 9, 2021, Microsoft will only use SHA-2 and thus no longer deliver anything that was signed with the old Secure Hash Algorithm 1 (SHA-1) process. Some areas, such as downloads, were changed over last year.

Microsoft has now confirmed the changeover to patch day in May. In mid-2020, the group had already taken the step and switched off all SHA-1-secured downloads. As part of the switch to the more secure SHA-2 algorithm, Microsoft will phase out the trusted root certification authority Secure Hash Algorithm 1 (SHA-1). The move away from the Secure Hash Algorithm 1 (SHA-1) process, which is no longer considered secure, was heralded around six years ago. Now you have almost reached the end of the changeover.

No problems converting

Starting May 9, 2021, all major Microsoft processes and services, including TLS certificates, code signing, and file hashing will exclusively use the SHA-2 algorithm. Microsoft is explaining to the tech community why the move is important and what to expect from it. There is also information for partners who only deliver SHA-1 signed. The group is also confident that this changeover will also be carried out without affecting updates and that the end-user will not notice it - except that he will benefit from the better security standard.

Why is this change being made?

The SHA-1 hash algorithm has become more and more insecure over time due to the weaknesses found in the algorithm, the increased processor performance, and the emergence of cloud computing. Stronger alternatives like the Secure Hash Algorithm 2 (SHA-2) are now strongly preferred because they do not have the same problems. For this reason, we switched the signing of Windows updates in 2019 to the exclusive use of the more secure SHA-2 algorithm and then withdrew all SHA-1 content signed with Windows on August 3, 2020, from the Microsoft Download Center.

What does this change mean?

The expiry of the Microsoft SHA-1 Trusted Root Certificate Authority only affects SHA-1 certificates that are chained to the Microsoft SHA-1 Trusted Root Certificate Authority. Manually installed corporate or self-signed SHA-1 certificates are not affected; however, we strongly encourage your company to switch to SHA-2 if you have not already done so.

So that you stay protected and productive

We expect that the expiry of the SHA-1 certificate will be uneventful. All major applications and services have been tested and we have carried out a comprehensive analysis of possible problems and corrective actions. If you encounter any problem after SHA-1 is phased out, please see Issues That May Occur When SHA-1 Trusted Root Certificate Authority Is Phased Out. In addition, the Microsoft Customer Service & Support teams are ready to assist you.

Post a Comment