Microsoft reprieves SHA-1 deprecation in Edge 85 security baseline

Microsoft has published a new security baseline for Microsoft Edge and one of the new rules is titled “Allow certificates signed using SHA-1 when issued by local trust anchors.”

Which may surprise some readers seeing as the United States National Institute of Standards and Technology deprecated SHA-1 in 2011 and Microsoft banished it from its Internet Explorer and Edge browsers in 2017.

Both did so because the hashing algorithm was susceptible to collision attacks that allowed replicas to be created, a flaw that Google proved in early 2017.

'First ever' SHA-1 hash collision calculated. All it took were five clever brains... and 6,610 years of processor time

READ MORE

So why has Microsoft revived SHA-1 now?

Redmond’s explanation includes with the admission that “it might seem odd that we are adding a deprecated setting to the baseline” but insists “this one is important.”

“Microsoft Edge forbids certificates signed using SHA-1 by default, and the security baseline is enforcing this to ensure Enterprises recognize that allowing SHA-1 chains is not a secure configuration,” wrote Microsoft security chap Rick Munck. “Should you need to use a SHA-1 chain for compatibility with existing applications that depend on it, moving away from that configuration as soon as possible is critical to the security of your organization.”

Relief is also temporary: “ In version 92 of Microsoft Edge (mid-2021) this setting will be removed, and there will be no supported mechanism to allow SHA-1, even for certificates issued by your non-public Certificate Authorities, after that,” Munck wrote.

The new baseline for Edge 85 also adds a policy titled “Define a list of protocols that can launch an external application from listed origins without prompting the user” that will mean users will be given an option to always allow browsers to spawn local apps.

Microsoft argues this change is needed because seeing a prompt every time a user clicks on a link to well-known apps such as Teams and Skype desensitizes them to real threats and creates complaints to IT departments. The new policy therefore means users will be offered a check-box to always allow the browser to launch certain apps.

“Leveraging this setting will suppress that prompt and reduce noise to the end user by approving the content at the enterprise level. Reducing end user prompts both improves user productivity and helps them make better decisions when an unexpected request appears by reducing prompt fatigue” Munck wrote.

Microsoft rates its full list of Edge policies a 313-minute read. But we’ve all got time on our hands right now so why not jump in? ®