Microsoft ‘Mortally Wounds’ SHA-1

Microsoft has announced that CAs in its root program may not issue certs signed using the SHA-1 algorithm, starting just over two years from now, and that Windows will start refusing to recognise such certs starting just over 3 years from now.

Make no mistake, this is a huge move and an aggressive timetable. 98% of certificates in use on the Internet today use SHA-1. Any certificate being used on the public web today which has an expiry date more than 3 years in the future will not be able to live out its full life. And it’s also an important and necessary move. SHA-1 is weak, and as computing power increases, is only getting weaker. If someone came up with a successful preimage attack on SHA-1, they could preimage a commonly-used intermediate cert from a popular CA and impersonate any website in a way only detectable by someone who examines certificates very, very carefully.

I strongly welcome this, and want to use it as an opportunity to make further improvements in the CA ecosystem. Currently, the maximum lifetime of a certificate under the Baseline Requirements is 5 years. It is due to reduce to 39 months in April 2015. Given that 98% of the certificates on the Internet are going to need to be thrown away 3 years from now anyway, I want to take the opportunity to reduce that figure early.

Long-lived certificates are problematic because CAs understandably strongly resist having to call their customers up and tell them to replace their working certificates before they would naturally expire. So, if there are certificates out there with a lifetime of N years, you can only rely on 100% coverage or usage of an improved security practice after N years. With N = 5, that reduces the speed at which the industry can move. N = 3 isn’t awesome, but it’s a whole lot better than N = 5.

So I will be bringing forward a motion at the CAB Forum to update the Baseline Requirements to reduce the maximum certificate lifetime to 3 years, effective from January 1st 2014.

8 thoughts on “Microsoft ‘Mortally Wounds’ SHA-1

  1. Ahmet: The EFF SSL Observatory (https://www.eff.org/observatory) has published those figures from surveying IPv4 space.
    +————————–+———-+
    | Signature Algorithm | count(*) |
    +————————–+———-+
    | md5WithRSAEncryption | 3 |
    | sha1WithRSAEncryption | 455511 |
    | sha256WithRSAEncryption | 17 |
    | sha512WithRSAEncryption | 1 |
    +————————–+———-+

    This is from page 24 of their 27C3 talk. https://www.eff.org/files/ccc2010.pdf

  2. For this to actually work, 2 things must happen.

    1) SSL providers must stop charging premiums and/or outrageous fees for SHA-2 certs. $300 per cert needs to stop.

    2) Servers must all change over to SHA-2 certs.

    If majority of servers do not change over – and M$ continues on this path, then in 2-3 years they will be left standing, looking foolish which their shiny new Windows OS not able to browse most of the internet.

    So basically, M$ does not have the clout to make this happen. It will fail on them and do harm to their reputation and product.

    This isn’t for Microsoft to exclaim. Instead, the server industry (of which approx 96% of all servers are Linux) have to be on-board first.

    • Over 90% of the desktop market, the eyeballs these servers want to be consumed by, isn’t enough clout? What exactly would be enough clout in your mind?

  3. “Windows will start refusing to recognise such certs starting just over 3 years from now”

    Just like Windows XP stopped being supported in 2009. Corporate customers will balk and Microsoft will be forced to backtrack.

  4. Pingback: News – November 17, 2013 | cipherpal