SSL certificates that use the SHA-1 hash algorithm for their signature are expected to be rejected by major browsers over the course of 2016, but Facebook and CloudFlare are pledging for a delayed sunset of the cryptographic hash algorithm.
According to a recent blog post from CloudFlare’s Matthew Prince, while the move to a more secure standard is welcomed, the death of SHA-1 is expected to result in many users being unable to access websites that still use the algorithm. He notes that SHA-2 support is limited and that millions of users will be cut off from websites they are accessing daily.
Researchers have been finding flaws in SHA-1 since 2005, over ten years ago, and the use of this algorithm has been deprecated since 2011, with the industry urged to move to the more secure SHA-2. Starting with January 1, 2016, most Certificate Authorities won’t issue new SHA-1 certificates, while the move from the insecure standard is expected to be completed by January 1, 2017.
Prince notes that desktop computers running Windows XP older than Service Pack 3 versions and pre-Gingerbread Android devices don’t support SHA-2 and that many of them are still in use today. Data gathered from CloudFlare’s network revealed that 1.69 percent of the browser connections require SHA-1, which translates into roughly 37 million people still using devices that lack support for the new standard.
“That’s the equivalent of the population of California not having access to encryption unless they upgrade their devices. As SHA-2 only sites proliferate, if these users on SHA-1-only browsers try and access an encrypted site, they’ll see an error page that completely blocks their access,” Prince explained.
He also notes that, while over 99 percent of browsers used in North America include SHA-2 support, things are different in other areas of the world. In China, for example, 6.08 percent of browsers lack the support, while 5.39 percent in Cameroon, 5.25 percent in Yemen, 4.69 percent in Sudan, and 4.85 percent in Egypt are lacking.
A list of 25 countries with the lowest SHA-2 support, cross-checked with data from large Internet providers who had conducted similar surveys, shows they represent the poorest, most repressive, and most war torn countries in the world. Basically, already vulnerable people who might need encrypted Internet the most will be cut off from multiple websites as soon as SHA-1 sunsets.
To avoid this situation, CloudFlare proposes that SHA-2 signed certificates be served for modern browsers, and that websites fall back to SHA-1 certificates for browsers that cannot support the new algorithm. “That ensures modern browsers can deprecate SHA-1 but we can continue to support users in the developing world on legacy devices,” Prince says.
The company has already made the first step in this direction, providing all paid CloudFlare customers with support for SHA-1 fallback. Business and Enterprise customers can disable the fallback from the Crypto Application in the CloudFlare control panel, and Pro customers will be able to do the same before year’s end.
Other companies around the world are also supporting SHA-1 fallback, including Alibaba and Facebook, along with other website owners in China, Russia, and other countries. According to Prince, the company this week added 4,000 sites of the top 100,000 to the list of non-CloudFlare sites that support SHA-1 fallback.
In a blog post, Facebook’s Chief Security Officer Alex Stamos notes that the social network fully supports CloudFlare’s initiative, although he too agrees that the industry should transition to SHA-256 certificates, based on the recent advancements in SHA-1 collision attacks. He also notes that tech companies should not cut off people in developing countries who use devices incompatible with SHA-256 from the Internet, but should invest in privacy and security solutions for them.
“Facebook has found success running a large TLS termination edge with certificate switching, where we intelligently choose which certificate a person sees based upon our guess as to the capabilities of their browser. This allows us to provide HTTPS to older browsers using SHA-1 while giving newer browsers the security benefits of SHA-256,” Stamos says.
He also notes that the CA/Browser Forum should create a new type of Legacy Verified certificate (the suggestion comes from CloudFlare) to companies already offering SHA-256 certificates to modern browsers. If the change cannot be implemented by December 31, the CA/Browser Forum should “delay the implementation of the SHA-1 rules for the period necessary to establish standards for Legacy certificates,” Stamos continues.
CloudFlare has been working with Mozilla, the maker of Firefox browser, for the development of their SHA-1 fallback feature, and the company plans on making the algorithm open source next year, to allow more sites to properly support SHA-1 fallback. Modern browsers should continue to remove support for SHA-1 certificates, but the industry should adopt SHA-1 fallback in a responsible manner, by patching any vulnerabilities that could lead to attacks and compromise.
Website owners looking to continue offering SHA-1 support are advised to get a SHA-1 certificate before the end of the year, otherwise they might not be able to provide some of their users with encryption, should the proposal for LV certificates is rejected.