When and how will Internet Explorer refuse sha-1 certificates?

Question

sha1 certificates are deprecated. The web browser Google Chrome shows a red security warning for the website https://sha1-2017.badssl.com/ (sha1 certificate expires in 2017). It shows neutral (neither green padlock nor red warning) for https://sha1-2016.badssl.com/ . Otherwise the pages load normally.

I read http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx but don't understand Microsoft's policy. Will Internet Explorer eventually refuse these certificates too? When exactly, and how so—what will it look like? An address bar warning like Chrome, or a scary interstitial ?

The two websites load without warnings in Firefox 41, but I understand Mozilla plan to introduce "This Connection is Untrusted" interstitials from Firefox 43. https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/

It says they will be refused from 2017-01-01. What is it that you don't understand? — Maarten Bodewes, Oct 23 '15 at 00:26
I'm not sure how we can answer what Microsoft will do in the future — schroeder, Oct 23 '15 at 00:40

score 1 · Answer 1 · answered Jan 13 '16 at 11:21

Microsoft announced a SHA-1 notice for their browsers starting in June 2016. The wording of the notice is still "under consideration".

December, 2015 update: Microsoft is aware of recent advances in attacks on the SHA-1 algorithm and we are evaluating the impact of moving the dates on our schedule up further to help protect customers. The most significant revision we are considering is to introduce a "speed bump" into the process in June of 2016, which will provide a notice to customers that the website is using a SHA-1 certificate. The exact wording of this prompt is still under consideration.

blog entry by Kyle Pflug, Program Manager Microsoft Edge

TechNet article on Windows Enforcement of Authenticode Code Signing and Timestamping

score 1 · Answer 2 · answered Jan 10 '17 at 12:40

Update January 2017: Here's a website with a SHA1 certificate expiring 2018. https://www.belshe.com/

Google Chrome shows 'not secure' with red warning triangle and 'https' crossed out. If you click it explains "Your connection to this site is not secure. You should not enter any sensitive information."
Internet Explorer 11 omits the padlock icon at the right of the address bar and shows 'https' in grey rather than black. It's barely noticeable.
Mozilla Firefox blocks the page 'This Connection is Untrusted'. To continue, you have to add an exception. After that, it shows a yellow warning triangle over the padlock icon.
Microsoft Edge omits the padlock icon it shows on other secure sites. It's barely noticeable.

I'd be curious how the site appears in mobile browsers.

When and how will Internet Explorer refuse sha-1 certificates?

2 Answers2