Windows 10: An update to our SHA-1 deprecation roadmap

  1. Cluster Head's Avatar
    Posts : 1,563
    Windows 10 Pro x64 RS 10586.586
       29 Apr 2016 #1

    An update to our SHA-1 deprecation roadmap

    In November, we shared a SHA-1 Deprecation Update with some early details on our schedule for blocking SHA-1 signed TLS certificates. Today we would like to share some more details to share on how this will be rolled out.

    Starting with the Windows 10 Anniversary Update, Microsoft Edge and Internet Explorer will no longer consider websites protected with a SHA-1 certificate as secure and will remove the address bar lock icon for these sites. These sites will continue to work, but will not be considered secure. This change will be in upcoming Windows Insider Preview builds soon, and will be deployed broadly this summer. In February 2017, both Microsoft Edge and Internet Explorer will block SHA-1 signed TLS certificates.

    This update will be delivered to Microsoft Edge on Windows 10 and Internet Explorer 11 on Windows 7, Windows 8.1 and Windows 10, and will only impact certificates that chain to a CA in the Microsoft Trusted Root Certificate program. Both Microsoft Edge and Internet Explorer 11 will provide additional details in the F12 Developer Tools console to assist site administrators and developers.

    Additional information on Microsoft’s overall SHA-1 deprecation plans can be found on TechNet.

    Test blocking of SHA-1 TLS Certificates

    You can enable logging your use of SHA1 certificates by typing the following commands into an Administrator Command Prompt. The following command does not block the use of SHA1 TLS certificates; however, it will log the certificate to the provided directory.

    First Create a logging directory and grant universal access:
    set LogDir=C:\Log
    mkdir %LogDir%
    icacls %LogDir% /grant *S-1-15-2-1:(OI)(CI)(F) 
    icacls %LogDir% /grant *S-1-1-0:(OI)(CI)(F)
    icacls %LogDir% /grant *S-1-5-12:(OI)(CI)(F)
    icacls %LogDir% /setintegritylevel L

    Enable certificate logging
    Certutil -setreg chain\WeakSignatureLogDir %LogDir%
    Certutil -setreg chain\WeakSha1ThirdPartyFlags 0x80900008

    Use the following command to remove the settings after you have completed your testing.
    Certutil -delreg chain\WeakSha1ThirdPartyFlags
    Certutil -delreg chain\WeakSignatureLogDir

    Additional information on these commands and other protections against weak crypto can be found here: Protecting Against Weak Cryptographic Algorithms

    – Alec Oot, Senior Program Manager
    – Mike Stephens, Senior Program Manager

    Source: An update to our SHA-1 deprecation roadmap | Microsoft Edge Dev Blog
    Last edited by Brink; 29 Apr 2016 at 12:37. Reason: fixed links and format
      My ComputerSystem Spec


Related Threads
Source: Roadmap update for Real Time Communications in Microsoft Edge | Microsoft Edge Dev Blog
Windows 10 Anniversary Update to Launch in July, Microsoft Roadmap Reveals The date is still not confirmed by the company though Read more:...
With browsers stopping support for Java plugins we now can't access financial and record-keeping sites we need to keep our business going. We were using IE-Tab but they want $19.00 per user which means thousands of dollars in licencing. We're a...
SHA-1 Deprecation Update in Windows 10 News
Source: SHA-1 Deprecation Update | Microsoft Edge Dev Blog
Source: Windows Server and System Center roadmap update - Microsoft Server and Cloud Platform Blog - Site Home - TechNet Blogs
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 19:53.
Find Us