When midnight strikes on Jan. 1, 2016, a new Internet security standard goes into effect. The cryptographic hashing algorithm that encrypts websites to help keep them secure will be updated. While this is good news for many Web users, for millions of people around the globe– primarily in developing countries — the security upgrade could leave them in the lurch.
What’s the problem? Researchers determined that SHA-1, the current standard encryption algorithm, would no longer be safe from hackers by year’s end. As a result, the CA/Browser Forum, a group that consists of certificate authorities and industry browser leaders like Firefox and Microsoft, announced that SHA-1 certificates would no longer be issued. In its place would be the stronger SHA-2, which will help make sites more secure for virtually all Internet users in the U.S. and other Western countries, but which is not compatible with mobile devices that are more than five years old — bad news for people in mostly developing countries who rely on older-model phones for Internet access, Matthew Prince, co-founder and CEO of web security firm CloudFlare, told CBS News.
“For most users, they will not see anything on January 1. But if you look globally, the estimates vary anywhere from, on the low end, 4 percent to Facebook’s numbers, which are as high as 10 percent of Internet traffic that won’t be able to support the new SHA-2,” Prince said. “This shift is disproportionately weighted against the parts of the world that are poorer and under more repressive regimes.”
Prince suggested that there is something of a disconnect between economically disadvantaged or war-torn countries, and the industry leaders putting the algorithm shift in place, who hail from “the Western parts of the world.”
“No one in these companies would have a five-year-old phone. But then you go to Iran or go to Syria or go to China, where about 6 percent of traffic would be impacted, wouldn’t be able to surf the encrypted Web going forward,” Prince said. “While over the long term the problem will get better — when we trade in an old phone, often they will end up in Syria or sub-Saharan Africa.”
Prince said the encryption standards can be traced back to the early days of the Internet in the mid-1990s when experts realized that if the Web was going to support things like commerce, there needed to be safeguards to ensure data broadcast online could be secured. The original MD5 algorithm was put in place, which became the standard-bearer for encryption systems. Eventually, it was replaced by SHA-1 as computers became faster. Documents are run through these hashing algorithms, outputting a large number, or signature, which is unique to that set of information.
Seeing “https” in front of a URL or the green lock sign present before many websites indicate a certified website, letting users know they are visiting a site that meets these security standards.
Facebook and CloudFlare have been calling for the New Year’s deadline to be extended. A proposal has been sent to the certificate authorities, urging them to reconsider the rapidly-approaching date.
“We don’t think it’s right to cut tens of millions of people off from the benefits of the encrypted Internet, particularly because of the continued usage of devices that are known to be incompatible with SHA-256,” Facebook wrote in a blog post. “Many of these older devices are being used in developing countries by people who are new to the Internet … We should be investing in privacy and security solutions for these people, not making it harder for them to use the Internet safely.”
“The good news is that we are asking them to continue to do what they are doing in a slightly more responsible way,” Prince asserted. “We are not asking them to build something new, the policy change needs to happen. You know, I think it’s very hard to be sitting in a comfortable office in Silicon Valley with a 4K monitor and an iPhone 6s and the latest Macbook and realize that there are parts of the world that don’t have those things and can’t afford to update monetarily. Sometimes they can’t just access the technology for an upgrade.”
Prince said that he believes there is a 50/50 chance that the current deadline will be reconsidered. He said he applauds the work of CA/Browser Forum and that it’s important to ensure that you have “100 percent security.” That being said, the implications of more than six percent of China’s population, for instance, not having access to encrypted websites, would be vast.
Prince reiterated that the good news is that, for most users, there is nothing to worry about. The Web will be a little safer. But “the most vulnerable people out there could get cut off from crucial portions of the Internet,” he said. “We, along with Facebook, want to prevent this from happening.”