Microsoft to use SHA-2 exclusively starting May 9, 2021

Corrine

Administrator,
Microsoft MVP,
Security Analyst
Staff member
Joined
Feb 22, 2012
Posts
12,623
Location
Upstate, NY
Quote
As a major move to the more secure SHA-2 algorithm, Microsoft will allow the Secure Hash Algorithm 1 (SHA-1) Trusted Root Certificate Authority to expire. Beginning May 9, 2021 at 4:00 PM Pacific Time, all major Microsoft processes and services—including TLS certificates, code signing and file hashing—will use the SHA-2 algorithm exclusively.


Additional information at the source: Microsoft to use SHA-2 exclusively starting May 9, 2021 - Microsoft Tech Community.
 
If for no other reason than to avoid bad publicity and the inevitable exaggerated bashings from all the Microsoft haters, I suspect Windows Update is a top priority and one of the primary areas they have concentrated many resources on to ensure it won't have any issues.

That said, as noted in Corrine's link, they "changed the signing Windows updates to use the more secure SHA-2 algorithm exclusively in 2019". So if there are any issues with Windows update, they most likely will be due to something other than switching to SHA-2.
 
Any encrypted communication will be more secure and security signatures will be more difficult to spoof.
 
what kind of impact could this possibly have for end users?
Most likely, we will "see" no impact at all. We will be able to continue using our computers as we did before - except we will be in a safer environment.

If the bad guys failed to break through the security barriers and get to you before, this just adds yet another barrier in their way.
 
Back in 2017, Google discovered a flaw in the (by then already old and superseded) SHA-1 algorithm. SHA-1 is a hashing function, which takes an input and converts it to a unique value. Being a hash function, this transformation can only go one way (you can convert a value to a hash, but you can’t convert a hash back to the original value). Hashing functions are vital in software, being used for password storage, certificate signing and file verification.

The flaw in SHA-1 allowed 2 different files to generate the exact same hash. This is a major vulnerability. For example, if the OS used a SHA-1 hash to verify an update was valid, an attacker could produce a malicious update that would generate the same hash and pass verification.

There’s a much better and more detailed explanation here Announcing the first SHA1 collision

Theoretical attacks have been known in SHA1 for over a decade, and NIST recommended against using SHA1 back in 2012 Hash Functions | CSRC. So tbh, it’s a long overdue fix by MS.

From an end user point of view, there’s no noticeable difference, but it’s an important security fix.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top