Jump to content
Kev

Microsoft to remove all SHA-1 Windows downloads next week

By Kev, in Stiri securitate

Recommended Posts

Kev Experienced

Kev

Posted
Posted

Microsoft says file downloads signed with the SHA-1 algorithm are insecure and will be removed on August 3, 2020.

 

microsoft-march-2020-patch-tuesday-fixes

 

Microsoft announced this week plans to remove all Windows-related file downloads from the Microsoft Download Center that are cryptographically signed with the Secure Hash Algorithm 1 (SHA-1).

 

The files will be removed next Monday, on August 3, the company said on Tuesday.

 

The OS maker cited the security of the SHA-1 algorithm for the move.

 

Quote

"SHA-1 is a legacy cryptographic hash that many in the security community believe is no longer secure. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks," it said.

 

SHA-1, BROKEN SINCE 2016

Most software companies have recently begun abandoning the SHA-1 algorithm after a team of academics broke the SHA-1 hashing function at a theoretical level in February 2016.

 

The algorithm was broken in a real-world practical attack in February 2017, when Google cryptographers disclosed SHAttered, a technique that could make two different files appear as they had the same SHA-1 file signature.

 

At the time, creating an SHA-1 collision was considered computationally expensive, and Google experts thought SHA-1 could still be used in practice for at least half a decade until the cost would go down.

 

However, subsequent research released in May 2019 and in January 2020, detailed an updated methodology to cut down the cost of an SHA-1 collision attack to under $110,000 and then to under $50,000.

 

Since 2016, software makers have abandoned SHA-1, mainly for SHA-2. Google removed SHA-1 support from Chrome with the release of Chrome 56, at the end of January 2017; Firefox removed SHA-1 support in Firefox 51, also released at the end of January 2017; and Microsoft dropped support for SHA-1 in Edge and Internet Explorer in mid-2017.

 

Apple followed by removing SHA-1 from iOS 13 and macOS Catalina, and OpenSSH announced plans to deprecate SHA-1 for its login process earlier this year.

 

Microsoft, since August 2019, no longer uses SHA-1 to sign and authenticate Windows OS updates. Currently, Microsoft is in the process of replacing SHA-1 with SHA-2 across its products.

 

However, the OS maker didn't specify if the Windows-related files that are being removed from its downloads center on Monday will be replaced with new download links signed with SHA-2, leaving many too wonder if they'll ever be able to download some of Microsoft's old tools.

 

Via zdnet.com

  • Upvote 2

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...