Skip to main content

Facebook and CloudFlare warn of SHA1 Sunset blocking

Facebook and web security firm CloudFlare have warned that tens of millions of Internet users could well be cut off from accessing encrypted web pages in the coming months due to the imminent SHA1 sunset.

This is because unless sites are permitted to continue using SHA1 - a cryptographic hashing function that's being retired because it's increasingly vulnerable to real-world forgery attacks – many users especially in developing countries will be unable to access HTTPS web pages.

Facebook claims that seven per cent of the world's browsers are unable to support the SHA256 certificate signing function. The problem is that SHA256, starting in 2016, will serve as the new minimum requirement for signing certificates used in HTTPS. Consequently, users of browsers unable to support it will be unable to open pages that are using certificates signed using SHA256.

Being aware of this potential disruption to their users – especially those in developing countries - Facebook and CloudFlare have unveiled a controversial fallback mechanism that uses SHA1-based certificates to deliver HTTPS-encrypted webpages to people who still rely on outdated browsers. This will not affect users’ with modern browsers who will be served HTTPS pages secured with SHA256 signed certificates. Both companies will make the fallback mechanism available as open-source software, which will allow web developers to protect their encrypted pages with SHA1 in order to support older browsers whilst still offering the higher SHA256 to customers using newer browsers.

Facebook is deploying the plan on most or all of the sites it operates, while CloudFlare will enable it by default for all of its customers.

Facebook Chief Security Officer Alex Stamos wrote: "We don't think it's right to cut tens of millions of people off from the benefits of the encrypted Internet, particularly because of the continued usage of devices that are known to be incompatible with SHA-256.

"Many of these older devices are being used in developing countries by people who are new to the Internet, as we learned recently when we rolled out TLS encryption to people using our Free Basics Platform. We should be investing in privacy and security solutions for these people, not making it harder for them to use the Internet safely."

Photo source: Shutterstock/Toria