Microsoft reprieves SHA-1 deprecation in Edge 85 security baseline Microsoft has published a new security baseline for Microsoft Edge and one of the new rules is titled “Allow certificates signed using SHA-1 when issued by local trust anchors.” Which may surprise some readers seeing as the United States National Institute of Standards and Technology deprecated SHA-1 in 2011 and Microsoft …
More like they're continuing to screw themselves. If they still need SHA-1 since it has been deprecated, it means that they've done diddly-squat to solve the problem and migrate to something more secure.
Once again, business-critical applications whose original vendor has long bitten the bullet are still lurking about, preventing any change because of the prohibitive cost in replacing them by something more secure.
Of course, companies in this situation could just physically isolate the affected machines from the Internet, but if they're already doing that and there are no other machines accessing the outdated security components, then the Edge/SHA-1 issue already doesn't impact them, so where's the problem ?
They are absolutely screwing themselves over if they are insisting on using a deprecated certificate authority. Unless they've done something completely outside best practices (like making the CA root have an expiration date of 100 years or something equally stupid), they should be using something at least supported, especially if they are paying MS for support on it. And TBH, it's not too difficult to stand up a new CA next to an old one, which is useful if the CA's name needs to be changed or some such. (That's the route [RedactedCo] took moving away from a SHA-1 signed certificate with a tiny key length- We decided to stand up a new CA that exceeded best practices in terms of algorithm and key length, and just let the old one expire out. (We did have to remove it later on from the environment which was a little shaky, but our AD has a decent amount of cruft in it already from nearly 20 years of existence and a number of admins and people who thought they were admins messing around in it.)
Don't be daft. Stopping the ship requires submission of form 24b/6, preapproved by an executive team member and faxed to Audit for review. A minimum of two weeks prior notification is required for thorough review by the change board. The change window is at Saturday at 2:00 AM in whatever time zone you happen to be in. No changes will be allowed on Saturdays falling on year end, quarter end, month end, or week end.
As a reminder, there will be a mandatory four-hour webinar this Friday afternoon at 5:00 PM entitled "Driving Efficiency and Raising Morale: Best Practices in the 21st Century."
"moving away from that configuration as soon as possible is critical to the security of your organization"
"seeing a prompt every time a user clicks on a link to well-known apps such as Teams and Skype desensitizes them to real threats and creates complaints to IT departments"
Maybe Microsoft should get in touch with whichver organisation it is that makes well-known apps such as Teams and Skype and tell them to fix the critical security threats they're causing? It seems a shame to compromise the security of a popular browser just to accomodate one organisation with poor security practises. If only they knew which organisation was to blame for this issue.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
