SHA-1 is a hashing algorithm that has been widely used since its release in 1995. However, after being compromised in 2005, SHA-1 is no longer considered a secure encryption and is replaced by a more secure hash function SHA- 2 and SHA-3. Many companies, including Google, Mozilla and Microsoft, have announced that they will stop accepting the SHA-1 TLS certificate by 2017.
Now Microsoft said that from February 14, 2017, the company does not support the use of SHA-1 signed certificate, then part of the site, users and third-party applications will be affected. Microsoft's statement is to further enhance the Edge and IE 11 browser security features, the two browsers will not load the display using SHA-1 signed certificate of the site, and display "invalid certificate" warning, but the user You can choose to bypass warnings and access potentially vulnerable Web sites. Microsoft has clarified that this will only affect websites that use SHA-1 signed certificates and link to Microsoft Trusted Root CAs, and sites that manually install Enterprise SHA-1 certificates or self-signed SHA-1 certificates will not be affected.
Microsoft said. Installed in November 2016 Windows update developers can test their Web site will be affected by the impact of Microsoft's decision. Microsoft has clarified that third-party Windows applications that use the Windows Encryption API or older versions of Internet Explorer will not be affected. Similarly, the update does not prevent the client from using SHA-1 certificates in client authentication. With regard to cross-signed certificates, Microsoft has confirmed that Windows will only check if the fingerprint of the root certificate exists in the Microsoft Trusted Root Certification Program.