Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

SHA-1 cutoff could block millions of users from encrypted websites

Lucian Constantin | Dec. 11, 2015
Tens of millions of users would be unable to access HTTPS websites that only use SHA-2-signed certificates, Facebook and Cloudflare have warned.

According to CloudFlare's data, the top ten countries with the lowest support for SHA-2 are: China (6.08%), Cameroon (5.39%), Yemen (5.25%), Sudan (4.69%), Egypt (4.85%), Libya (4.83%), Ivory Coast (4.67%), Nepal (4.52%), Ghana (4.42%) and Nigeria (4.32%). The top 25 list includes additional countries from Africa, the Middle East, Asia and Central and South America.

"In other words, after December 31st most of the encrypted web will be cut off from the most vulnerable populations of Internet users who need encryption the most," the CloudFlare researchers said. "And, unfortunately, if we're going to bring the next 2 billion Internet users online, a lot of them are going to be doing so on secondhand Android phones, so this problem isn't going away any time soon."

Facebook signaled the same problem, estimating that 3 to 7 percent of browsers currently in use don't support SHA-256, also known as SHA-2.

"A disproportionate number of those people reside in developing countries, and the likely outcome in those counties will be a serious backslide in the deployment of HTTPS by governments, companies and NGOs that wish to reach their target populations," said Alex Stamos, Facebook's chief security officer, in a blog post Wednesday.

Facebook has solved this problem by building a mechanism that allows its certificates to be switched automatically based on the browser used by the visitor. In this way, modern browsers will be served a SHA-2 certificate and older ones will receive a certificate signed with SHA-1.

This allows browser vendors to continue with their plan to cut off support for SHA-1 certificates next year, while allowing websites to serve users with old devices that are unlikely to ever be updated.

Facebook has made the code for its certificate switching mechanism open source under a BSD license, as part of its larger Proxygen HTTP library project. This means that other developers can use it in their own projects and TLS proxies.

CloudFlare, which runs a content delivery network to optimize and protect its customers' websites, has enabled automatic SHA-1 fallback for its paying users. If they wish, business and enterprise customers can turn off the feature, and pro users will be able to do the same by the end of the year.

Facebook and CloudFlare are not the only companies taking such actions. Chinese Internet firm Alibaba uses SHA-1 fallback across many of its websites, which is not surprising givien the large number of users in China who access the Web from browsers that lack SHA-2 support.

Facebook and CloudFlare want to take it one step further. They're urging the CA/B Forum to create a new class of certificates called Legacy Validated (LV) certificates for which SHA-1 signatures would continue to be allowed.

Such certificates could be issued past the existing SHA-1 retirement date to organizations which can prove that they use modern certificates and protocols with modern browsers and fall back to LV certificates only for legacy browsers.

 

Previous Page  1  2 

Sign up for MIS Asia eNewsletters.