14 DAY TRIAL // Cloudflare and Facebook have come up with an alternative solution for dealing with the impending deprecation of SSL/TLS certificates signed with the SHA-1 algorithm.
As you may or may not know, starting 2016, all browser makers will begin showing errors and later prevent users from accessing HTTPS sites that are using an SHA1-signed digital certificate.
This process was meant to be delayed as long as possible, going back to late 2017, but a recent research paper has shown that SHA-1 certificates can be cracked with relatively low costs and processing power provided by computers that are in use today. This recent revelation has accelerated the SHA-1 deprecation process, and both Microsoft and Mozilla have said they'll start deprecating SHA-1 certificates at earlier points than previously announced.
37 million Internet users still using SHA1-only browsers
Cloudflare is now saying that it may be a bad idea since this will leave millions of users without access to HTTPS-encrypted traffic. Using data from their massive CDN and server network, the Cloudflare team was able to estimate that around 37 million people use older browsers where the newer SHA-2 cannot ever be supported. With websites moving to SHA-2, these people would not be able to access any HTTPS website in the near future.
Most of these people are using older desktop and mobile browsers, on XP machines or old Internet-enabled mobile phones. Cloudflare data reveals that most of these users are located in China, Iran, Nepal, and many African countries.
Despite the fact that, in Cloudflare's estimation, at least 98.31% of the current Internet users are surfing the Web on an SHA2-capable browser, the company cannot live with the idea of restricting access to encrypted traffic for 37 million people. This opinion is also shared by Alex Stamos, Facebook's Chief Security Officer.
SHA-1 as a fallback for older browsers only
Both companies are now proposing an alternative scenario for the CA/B Forum, the organization in charge of encryption policies for certificate authorities and browsers.
According to their plan, websites should use SHA-2 by default, but whenever they detect a user with an older browser, they should provide an alternative SHA-1 certificate instead.
Facebook's developers have already made available the source code to implement such a feature on the technical (server) side, a solution already used for the company's own services.
Cloudflare has also activated a similar SHA-1 fallback system for all of its clients, free of charge. This option can be turned off by Cloudflare customers if they don't want to expose their own clients to insecure SHA-1 connections.
"The CA/Browser Forum should create a new type of Legacy Verified certificate that should only be issued to organizations that have demonstrated they are offering SHA-256 certificates to modern browsers," proposed Alex Stamos. "If this change cannot be implemented by December 31st, then we call on the CA/B Forum to delay the implementation of the SHA-1 rules for the period necessary to establish standards for Legacy certificates."
