YOU... SHA-1 NOT PASS! Microsoft magics away demonic hash algorithm from Windows updates, apps

Because no one likes to install spoof system files

7 Reg comments Got Tips?

Microsoft is preparing to once and for all drop support for the SHA-1 hash algorithm.

Redmond this week said that on Monday, August 3, Windows downloads signed using SHA-1 will no longer be offered by the Windows app'n'updates download center, the last step in a SHA-2 transition that has been going on for more than a year now.

"To support evolving industry security standards, and continue to keep you protected and productive, Microsoft will retire content that is Windows-signed for Secure Hash Algorithm 1 (SHA-1) from the Microsoft Download Center on August 3, 2020," Microsoft said in a tech bulletin.

"This is the next step in our continued efforts to adopt Secure Hash Algorithm 2 (SHA-2), which better meets modern security requirements and offers added protections from common attack vectors."

sha

Got $50k spare? Then you can crack SHA-1 – so OpenSSH is deprecating flawed hashing algo in a 'near-future release'

READ MORE

In making the move, Microsoft noted the security shortcomings of SHA-1, which has been shown repeatedly by security experts to be relatively easy to crack.

As far back as 2004 the algorithm was feared to be vulnerable to collision attacks, and in 2015 NIST deemed it unfit for use by the US government.

The fears were realized in 2017, when eggheads at Google and CWI Amsterdam teamed up to produce the first-ever publicly known real-world proof of a SHA-1 hash collision by creating two different documents with the same signature. At that point, it was abandon ship time for anyone still relying on the algorithm.

Likewise, Microsoft said that it wants to be rid of the potential security risks that come with the outdated algorithm once and for all.

"SHA-1 is a legacy cryptographic hash that many in the security community believe is no longer secure," Microsoft noted. "Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks."

Not that this was a recent decision from Redmond. As with most of the bigger moves Microsoft makes, the transition from SHA-1 is a drawn-out process that has been going on since at least March 2019 when Windows Updates began to be signed with SHA-2 hashes.

Users and admins should also have long since been transitioned to SHA-2 as well. Following the March 2019 move for Windows Update, Microsoft in August 2019 ended all support for updates not signed with SHA-2.

In January of this year, the Trusted Root Program also moved to SHA-2 only. In short, this transition was a long time coming, and any users who have been able to download and install a Windows update over the last year or so should already support SHA-2 and shouldn't, hopefully, notice any difference. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020