Twitter Joins CloudFlare and Facebook Proposal for Delaying SHA-1’s Sunset
Twitter is the latest tech company to suggest that support for SSL certificates using the SHA-1 cryptographic hash function should be kept in older web browsers.
Earlier this month, CloudFlare and Facebook revealed a proposal to delay the sunset of SHA-1 certificates, claiming that many users are still using older browsers that lack support for newer versions of the algorithm. In a blog post published this week, Michael Coates, Trust & Information Security Officer at Twitter, notes that the microblogging company is fully supporting the proposal.
Designed two decades ago by the NSA, the SHA-1 algorithm has become an important Internet security standard for HTTPS connections, but researchers have discovered weaknesses in it over the past years. Back in 2012, the National Institute of Standards and Technology (NIST) suggested that the industry should stop using SHA-1 certificates in 2014, but they continue to be widely used around the web.
Internet companies are already making the necessary preparations to move away from the standard, with Microsoft announcing in 2013 plans to deprecate the use of the SHA-1 in code signing and SSL certificates and intentions to move to the more secure SHA-2 algorithm. Google and Mozilla followed suit in September last year by revealing that Chrome and Firefox browsers will no longer accept SHA-1 certificates beginning January 1, 2017.
New research has concluded that the cost of collision attacks, one of the main threats to SHA-1, has dropped significantly in recent years, and that the industry should accelerate the adoption of SHA-2 (also known as SHA-256). As a result, Mozilla said in October that it might start rejecting SHA-1 certificates in Firefox earlier than initially announced, starting in July 2016, and Google said last week that Chrome might follow suit.
CloudFlare and Facebook, however, suggest that these companies should consider keeping SHA-1 support alive in older browser versions. They propose that, while modern browsers would be served SHA-2 certificates, websites should fallback to SHA-1 certificates for browsers that cannot support the new algorithm, such as those present on legacy devices, which are widespread among users in emerging markets.
In the aforementioned blog post, Twitter’s Michael Coates says the same, explaining that the fast migration plans might leave users with low-end devices that do not support SHA-256 certificates off the secure Internet. He notes that between 3 percent and 6 percent of Twitter users have old devices that would no longer be able to access websites via HTTPS after the SHA-256 migration is complete.
“Many of these people are in parts of the world where it is prohibitively expensive to buy a new device. This fact puts these users in a difficult situation, faced with only two options: One, have their traffic trivially monitored as it passed over unencrypted HTTP; or two, have no access at all to the numerous websites that are only accessible over HTTPS,” Coates explained.
Twitter supports the proposal Facebook and CloudFlare brought forth to the CA/Browser forum, given that it still ensures that the industry migrates to SHA-2 while still offering continued access for devices that only support SHA-1 certificates. The company is also fully committed to adopting SHA-256 certificates and is already implementing them, while still serving certificates using the weak SHA-1 algorithm when detecting older clients without SHA-256 support.
Coates also notes that Twitter fully supports the proposal because it only allows legacy validated SHA-1 certificates when a domain also provides SHA-256 support, and that legacy validated SHA-1 certificates are only available per specific requirements and will still sunset in March, 2019. Moreover, increased randomization of serial numbers in legacy validated certificates results in less probable SHA-1 collisions, another reason to support the proposal.
Twitter claims that keeping SHA-1 certificates alive only in older browsers provides maximum security for the majority of users and that it also ensures that those with low-end devices won’t lose access to HTTPS domains or will become vulnerable to privacy-invading options over HTTP.