SHA-1 Deprecation Update

November 4th, 2015

In a previous update on TechNet, we announced that Windows will block SHA-1 signed TLS certificates starting on January 1, 2017. In light of recent advances in attacks on the SHA-1 algorithm, we are now considering an accelerated timeline to deprecate SHA-1 signed TLS certificates as early as June 2016.

Mozilla recently announced a similar intent on the Mozilla Security Blog. We will continue to coordinate with other browser vendors to evaluate the impact of this timeline based on telemetry and current projections for feasibility of SHA-1 collisions.

For more details on our schedule, please see Windows Enforcement of Authenticode Code Signing and Timestamping on Technet, or reach out to us on Twitter or in the comments below.

– Kyle Pflug, Program Manager, Microsoft Edge