Change to SHA-2 SSL Certificates Could Black Out 37 Million Cellphone Users Globally

“The SHA-1 algorithm is not necessarily completely insecure -- it's not like hackers out there, if you're using that certificate, can read your private information -- this is really people being extremely conservative,” a CloudFlare spokesman told us. “Because of how slow people are to upgrade their phones, they made an arbitrary deadline of January 2016. Websites can continue to support these old phones and browsers, but only if the CA/Browser Forum goes along with the proposal from CloudFlare and Facebook,” which are working on a fallback to accommodate websites with the older certificate. CA/Browser Forum -- the voluntary consortium of certificate authorities, browser vendors, operating systems and others -- develops industry encryption policy.

Starting in 2008, most websites began switching certificate signatures from the MD5 algorithm, which was used in the early days of the Internet, to SHA-1 -- a process that wasn't completed until 2013, a CloudFlare blog post said. However, Mozilla and Internet Explorer were able to support both MD5 and SHA-1, it said. At that time, SHA-1 was widely available on even legacy browsers, but that’s not the case with SHA-2, which has limited support. For example, Windows XP older than Service Pack 3 has no SHA-2 support, the CloudFlare spokesman said. And many Android phones (pre-Gingerbread), which are less than five years old, don't support SHA-2 completely, the company's blog post added. Given how difficult some carriers make it to upgrade phones, many of the legacy phones are still in use, the post said. AT&T, Sprint, T-Mobile and Verizon didn't comment.

The impact will be largely felt in developing countries where many individuals own the older cellphones; only about 1 percent in the U.S. may be affected. But Nicol Turner-Lee, vice president of the Multicultural Media, Telecom and Internet Council, which hasn’t taken a position on the issue, told us lower-income Americans, the elderly or people who have received an old phone from a family member would likely be hit hardest. Such consumers are likely late adopters who struggle with trusting technology, so a sudden inability to check email, bank balances or social media sites won’t encourage trust, she said.

“In the advancement and innovation of technology, the challenge is reconciling the old with the new and ensuring the same levels of protection for those that are still tied, in some way, to the legacy technology,” Turner-Lee said. “If there's disconnect for those that still have legacy technology and they do not feel safe, then it becomes a broader issue for those groups who will be left behind,” she said.

Generally the poorest, most repressive and war-torn countries are most affected by the SHA-2 update, while support in Western Europe and North America is universally more than 99 percent, CloudFlare said in the blog post. “After December 31 most of the encrypted web will be cut off from the most vulnerable populations of Internet users who need encryption the most,” it said.

Facebook wouldn't comment on the issue beyond what Chief Security Officer Alex Stamos wrote in a Dec. 9 blog post, that the company supports CloudFlare’s “different approach.” He said company data has shown that 3 percent to 7 percent of browsers now in use won’t be able to use the newer standard, meaning millions of people in mostly developing countries won’t be able to securely use the Internet after Thursday, likely resulting in “a serious backslide in the deployment of HTTPS by governments, companies and [nongovernmental organizations] that wish to reach their target populations.”

Stamos said CloudFlare’s proposal would require CA/Browser Forum to create a new “Legacy Verified” certificate that would be issued only to organizations that can show they offer the stronger certificates to modern browsers. If the forum can’t do this by Thursday, then it needs to rethink the process until standards for legacy certificates are established. He said Facebook has also “found success running a large TLS [transport layer security] termination edge with certificate switching,” meaning Facebook “intelligently” chooses which certificate a visitor sees based on “our guess as to the capabilities of their browser.” Older browsers use SHA-1 while newer ones get the more secure certificate, he wrote.

Since Firefox has supported SHA-2 since its first version, Mozilla earlier this year switched its certificates to SHA-2, leading to a drop in downloads. But the company is making it possible for all users to continue using Firefox. "Mozilla has implemented mechanisms that will allow users of old browsers, including those which do not support SHA-2, to download Firefox. Firefox supports SHA-2 on all platforms, including older ones," Richard Barnes, Firefox security lead, said in an emailed statement.

Google's Chrome browser already has begun displaying a warning for SHA-1-based certificates that expire after 2015, CloudFlare said in the blog post. Other browsers are mirroring Google and, over the course of 2016, will begin issuing warnings and eventually completely distrust connections to sites using SHA-1 signed certificates. Microsoft didn't comment and referred us to a Nov. 4 blog post by Kyle Pflug, Microsoft Edge program manager. He wrote that “in light of recent advances in attacks on the SHA-1 algorithm, we are now considering an accelerated timeline to deprecate SHA-1 signed TLS certificates as early as June 2016.” He said the company will continue to coordinate with other browsers to assess “the impact of this timeline based on telemetry and current projections for feasibility of SHA-1 collisions.”