back to article Microsoft reprieves SHA-1 deprecation in Edge 85 security baseline

Microsoft has published a new security baseline for Microsoft Edge and one of the new rules is titled “Allow certificates signed using SHA-1 when issued by local trust anchors.” Which may surprise some readers seeing as the United States National Institute of Standards and Technology deprecated SHA-1 in 2011 and Microsoft …

  1. J27 Bronze badge

    Damned so called "enterprises" screw themselves again.

    1. Pascal Monett Silver badge

      More like they're continuing to screw themselves. If they still need SHA-1 since it has been deprecated, it means that they've done diddly-squat to solve the problem and migrate to something more secure.

      Once again, business-critical applications whose original vendor has long bitten the bullet are still lurking about, preventing any change because of the prohibitive cost in replacing them by something more secure.

      Of course, companies in this situation could just physically isolate the affected machines from the Internet, but if they're already doing that and there are no other machines accessing the outdated security components, then the Edge/SHA-1 issue already doesn't impact them, so where's the problem ?

      1. J. Cook Silver badge
        Boffin

        They are absolutely screwing themselves over if they are insisting on using a deprecated certificate authority. Unless they've done something completely outside best practices (like making the CA root have an expiration date of 100 years or something equally stupid), they should be using something at least supported, especially if they are paying MS for support on it. And TBH, it's not too difficult to stand up a new CA next to an old one, which is useful if the CA's name needs to be changed or some such. (That's the route [RedactedCo] took moving away from a SHA-1 signed certificate with a tiny key length- We decided to stand up a new CA that exceeded best practices in terms of algorithm and key length, and just let the old one expire out. (We did have to remove it later on from the environment which was a little shaky, but our AD has a decent amount of cruft in it already from nearly 20 years of existence and a number of admins and people who thought they were admins messing around in it.)

      2. Anonymous Coward
        Anonymous Coward

        Yes SHA-1 certs are an issue.

        The alternative enterprise fix if Microsoft depreciate it will be HTTP.

        Pessimistic? Nah....a realist...

    2. HildyJ Silver badge
      FAIL

      Enterprise

      Disambiguation -

      Enterprise (starship) - To boldly go where no man has gone before .

      Enterprise (company) - To boldly stop while others go forward.

      1. Throatwarbler Mangrove Silver badge
        Pirate

        Re: Enterprise

        Don't be daft. Stopping the ship requires submission of form 24b/6, preapproved by an executive team member and faxed to Audit for review. A minimum of two weeks prior notification is required for thorough review by the change board. The change window is at Saturday at 2:00 AM in whatever time zone you happen to be in. No changes will be allowed on Saturdays falling on year end, quarter end, month end, or week end.

        As a reminder, there will be a mandatory four-hour webinar this Friday afternoon at 5:00 PM entitled "Driving Efficiency and Raising Morale: Best Practices in the 21st Century."

        1. David 132 Silver badge
          Happy

          Re: Enterprise

          Starfleet was never the same again after the Vogons joined the Federation.

      2. Dan 55 Silver badge

        Re: Enterprise

        Unless it's Star Trek Discovery...

        LCARS is running MS SQL Server.

  2. IGnatius T Foobar ! Bronze badge

    ...and no one noticed.

    Microsoft made a significant change to Edge, and no one noticed, because no one uses Edge.

    1. IGotOut Silver badge

      Re: ...and no one noticed.

      Dunno, given Mozilla's self destruct mission at the moment, it could end up as the no3 browser for mobile.

      (Just moving to Vivaldi from FF).

  3. David Roberts
    Trollface

    Alternatively

    Microsoft discovered that companies weren't moving to Edge because it wouldn't work with their legacy systems.

    Temp them across then shut them down later.

  4. Cuddles Silver badge

    "moving away from that configuration as soon as possible is critical to the security of your organization"

    "seeing a prompt every time a user clicks on a link to well-known apps such as Teams and Skype desensitizes them to real threats and creates complaints to IT departments"

    Maybe Microsoft should get in touch with whichver organisation it is that makes well-known apps such as Teams and Skype and tell them to fix the critical security threats they're causing? It seems a shame to compromise the security of a popular browser just to accomodate one organisation with poor security practises. If only they knew which organisation was to blame for this issue.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020