Blog Post

Windows IT Pro Blog
1 MIN READ

SHA-1 Windows content to be retired August 3, 2020

Namrata_Bachwani's avatar
Namrata_Bachwani
Icon for Microsoft rankMicrosoft
Jul 29, 2020

To support evolving industry security standards, and continue to keep you protected and productive, Microsoft will retire content that is Windows-signed for Secure Hash Algorithm 1 (SHA-1) from the Microsoft Download Center on August 3, 2020. This is the next step in our continued efforts to adopt Secure Hash Algorithm 2 (SHA-2), which better meets modern security requirements and offers added protections from common attack vectors.

 

SHA-1 is a legacy cryptographic hash that many in the security community believe is no longer secure. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

 

Microsoft no longer uses SHA-1 to authenticate Windows operating system updates due to security concerns associated with the algorithm, and has provided the appropriate updates to move customers to SHA-2 as previously announced. Accordingly, beginning in August 2019, devices without SHA-2 support have not received Windows updates. If you are still reliant upon SHA-1, we recommend that you move to a currently supported version of Windows and to stronger alternatives, such as SHA-2.

Updated Jul 29, 2020
Version 2.0
security

18 Comments

Show More
  • mruniqat's avatar
    mruniqat
    Copper Contributor
    Aug 17, 2020

    Could you guys please do us all a favor and offer all historic updates to archive.org? There are a lot of users out there which still like to use older Windows versions for fun on older computers, it would be a shame to behave like Sony&Co. who just deleted all old drivers from their driver pages. 

  • Reza_Ameri-Archived's avatar
    Reza_Ameri-Archived
    Bronze Contributor
    Jul 31, 2020

    Thank you for sharing.

    I hope this process would be smooth and reliable so users won't see much difference and we have to be careful of message like certificate is invalid.

  • venkatramd's avatar
    venkatramd
    Copper Contributor
    Jul 31, 2020

    Namrata_Bachwani 

    Does it impact all the .NET downloads available in the Download Center?

    What does retirement mean? They will no longer be available?

  • abbodi1406's avatar
    abbodi1406
    Iron Contributor
    Jul 30, 2020

    Sean Andrews  Windows 7 updates are dual signed since late April 2012

    and most of the same updates files exist in Microsoft Update Catalog (its links don't usually stop working even if the update entry is removed/expired from catalog)

    unlike Office updates global exe installers, they only exist in Download Center

  • Sean Andrews's avatar
    Sean Andrews
    Copper Contributor
    Jul 30, 2020

    Can we assume all XP and 2003 updates gone then?  How long were Windows 7 and 2008/2008 R2 updates dual signed?  Can we get a breakdown by products, maybe with dates or years to know what will be removed?

  • abbodi1406's avatar
    abbodi1406
    Iron Contributor
    Jul 30, 2020

    I see that number of Office 2010 / 2013 (and even 2016) MSI updates are removed from Download Center

    those the global exe installers without any alternative, and most of those updates are dual signed (sha1/sha256) anyway

     

    bad decision

  • The_Smart_One's avatar
    The_Smart_One
    Iron Contributor
    Jul 29, 2020

    Hi. Let's see if I've got this article right: Downloadable contents are going to disappear from the Microsoft website, if their digital certificate is using a SHA-1 digest. Am I right?