Top companies such as Google and Microsoft announced that their browsers would stop supporting sites running the less secure SHA-1 certificates. Tens of millions of Internet users will be cut off from encrypted webpages in the coming months unless sites are permitted to continue using SHA1, a cryptographic hashing function that's being retired because it's increasingly vulnerable to real-world forgery attacks, Facebook and Web security company CloudFlare have warned.
According to Facebook, at the beginning of 2016, the SHA256 function will serve as the new minimum requirement and as many as seven percent of the world's browsers are currently unable to support it. That translates into tens of millions of end users, and a disproportionate number of them are from developing countries still struggling to get online or protect themselves against repressive governments. More than 37 million people won't be able to access encrypted sites that rely on certificates signed with the new algorithm as estimated by CloudFlare.
A controversial fallback mechanism was unveiled by both companies that use SHA1-based certificates to deliver HTTPS-encrypted web pages to people who still rely on outdated browsers. The remaining, much larger percentage of end users with modern browsers would be served HTTPS pages secured with SHA256 or an even stronger function. The mechanisms, which both companies are making available as open-source software, will allow websites to provide weaker HTTPS protection to older browsers while giving newer ones the added benefits of SHA256. Facebook is deploying the plan on most or all of the sites it operates, while CloudFlare will enable it by default for all of its customers. CloudFlare said other sites, including those run by Chinese portal Alibaba, are also implementing it.
In a blog post published Wednesday, Facebook Chief Security Officer Alex Stamos wrote:
“We don't think its right to cut tens of millions of people off from the benefits of the encrypted Internet, particularly because of the continued usage of devices that are known to be incompatible with SHA-256. Many of these older devices are being used in developing countries by people who are new to the Internet, as we learned recently when we rolled out TLS encryption to people using our Free Basics Platform. We should be investing in privacy and security solutions for these people, not making it harder for them to use the Internet safely.”