Starting yesterday, via updates delivered in the May 2017 Patch Tuesday, Microsoft browsers such as Edge and Internet Explorer, have begun flagging websites as insecure if they use SSL/TLS certificates signed with the SHA-1 algorithm.
The move comes after Mozilla banned SHA-1-signed certificates in Firefox 51, and Google in Chrome 56, both browser versions released in January 2017.
SHA-1 deprecation started in the fall of 2015
The reasons why all these three major browsers banned SHA-1 was, initially, because of research published in the autumn of 2015, revealing that the financial and computational cost of breaking SHA-1 was lower than anyone thought.
That fall, browser vendors agreed on a long-term plan to deprecate SHA-1-signed certificates on the web. The first major step was taken on January 1, 2016, when they forbade publicly trusted Certificate Authorities to issue new certificates signed with the SHA-1 algorithm.
The last step in this process was in January 2017, when all browser makers agreed to distrust all SSL/TLS certificates signed with the SHA-1 algorithm. This meant that browsers would show an error when a user tried to navigate to an HTTPS site that encrypted communications using a SSL/TLS certificate signed with SHA-1
Microsoft was late to this party, but now, the company has aligned with Google and Mozilla on this stance.
Google & others broke SHA-1 in February 2017
The decision couldn't have come sooner, as, on February 23, 2017, Google and other researchers announced the first-ever SHA-1 collision attack.
For their research, Google generated two different files that had the same SHA-1 digital signature. Since SSL/TLS certificates are nothing more than files, this meant, at least in theory, that someone could create two SSL/TLS certs with the same SHA-1 hash, and impersonate legitimate sites. Fortunately, by that point, Google and Mozilla were already showing errors when accessing these types of sites.
In a security advisory that accompanied the May 2017 Patch Tuesday, Microsoft explains its decision to ban SHA-1-signed certificates in Edge and Internet Explorer, and urges website owners to migrate to using SHA-2-signed certificates.
SHA-1 is an algorithm created by NSA researchers in the 90s that has been used in the past decades to create a digital signature for files or data streams. As it became clear in the mid-2000s that someone could theoretically break SHA-1 hashes, security experts started advising that organizations use SHA-2 or stronger hashing functions to create digital signatures for sensitive files.
credit https://www.bleepingcomputer.com/news/security/microsoft-bans-sha-1-certificates-in-edge-and-internet-explorer/