back to article Microsoft may join Mozilla and retire SHA-1 in 2016

Microsoft has decided to follow Mozilla down the path to better security, bringing forward the end-of-life date for SHA-1 hashing. SHA-1 has long been suspect, but in 2015 the ease and effectiveness of attacks against it have grown to the point where everyone with good sense is making their excuses and leaving the room. …

  1. This post has been deleted by its author

    1. Pascal Monett Silver badge

      On the plus side, with MS finally getting its act together, a whole lot of the Web is going to be a whole lot more secure after Jan 1st.

      1. spam 1

        Do you mean June 1st?

  2. I. Aproveofitspendingonspecificprojects

    How about a security Icon from Ashtralia> the faceboobgirl?

  3. Anonymous Coward
    Anonymous Coward

    Bandwaggon

    Reg - you reported this last week (this aint new). And while we will have lots jumping on with M$ bashing (which is usually fair) anyone with some actual experience in this area knows that killing off SHA 1 for all devices is not that easy. In essence there is a huge swathe of OSes (not just M$) that won't be able to do SSL\TLS when this comes in because they have no pathway to support SHA2 (or above). Then there is a huge swathe that can be patched but are not. M$ announced about two years ago their plans for dropping SHA1 and now then have speeded up that process because the situation has changed. Ah well - muppets will bash M$ regardless...

    1. paulej72

      Re: Bandwaggon

      I have printers that use SHA1 for https to the web configuration interface. I had to download a old version of Pale Moon to access them since both Chrome and FF would not let me access them. And for some of them, I am sure there will be no upgrades to the firmware to support SHA2.

      While SHA1 might be hackable, I would rather use it than to send my printer passwords over the net in plain text.

  4. Anonymous Coward
    Anonymous Coward

    False dichotomy?

    You make it sound as if the choice is between SHA-1 and plain text... SHA-1 is a hashing algorithm. It's used in the certificate, not for encryption. The certificate was generated by some stupid company you've never heard of. You can't trust the certificate anyway. What you should do is either find out your printer's public key, write it on a Post-it note and check it manually whenever you connect to the printer, or generate your own certificate, using the hashing algorithm of your choice, and configure your browser to use and trust that certificate, which will be a lot more trustworthy than the certificate given out by some stupid company you've never heard of. (In case you're about to ask: no, I've never done that and don't know exactly how to do it. Perhaps I should try it one day just to see if my theoretical understanding of how these things work is roughly in line with how they work in practice.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like