It talks about the fact that it is time to abandon the SSL-certificates using a cryptographic algorithm SHA-1, being a long time.Vulnerabilities in the SHA-1 are regularly since 2005, so it is not safe to use for a long time, and the industry it is recommended to move to SHA-2. Effective January 1, 2016, the majority of the certification companies are planning to refuse to accept the SHA-1 certificates. However, against this suddenly made us Facebook and CloudFlare.
It has long been planned that the full transition from the SHA-1 standard for SHA-2 should be completed by January 1, 2017.However, many companies prefer to speed up the process. The fact that in October of this year, consolidated group of scientists from the Netherlands Centrum Wiskunde & Informatica, French Inria and Nanyang Technological University, which is located in Singapore, concluded that the algorithm “vskroyut” much earlier than the deadline comes. Namely – in the next three months. In fact, scientists have discovered in SHA-1 vulnerability, which significantly reduces the cost and clothes the process of breaking an algorithm.
However, the complete rejection of the SHA-1, it is also wrong, according to representatives of Facebook and CloudFlare.
Chapter CloudFlare Matthew Prince (Matthew Prince), published in the official blog of the company surround the post , which explained why the rejection of the SHA-1 could be a huge mistake. “Death” of the algorithm will only lead to the fact that many users will not be able to get to the desired sites. Support for SHA-2 is still very unevenly distributed, so millions of people will be cut off from the sites that visit daily.
Prince noted that computers running on Windows XP (prior to Service Pack 3) and some devices based on Android (Gingerbread and later) do not support SHA-2. But these devices are still a lot. According to CloudFlare, 1,69% browser-based connections require SHA-1. This means that approximately 37 million people are using devices that do not support the new standard at all.
“Imagine the entire population of California can not use encryption is not updated their device.Sites that only work with SHA-2 becomes larger, but if a user with a browser that supports only the SHA-1, will try to go to such a site, he will see an error message, and the access to the resource is completely blocked, “- says the Prince.
Leads CloudFlare director and other statistics. Whereas in the SHA-2 North America 99% supported browsers, global indicators are very different from this rosy picture. For example, in China support SHA-2 can boast of only 6.08% of the browser. In Yemen, 5.25%, in Egypt – 4.85%. All of these people and so are at risk, because the SHA-1 algorithm is not safe.They definitely need a good encryption. But the situation does not improve, if they even select SHA-1, leaving with nothing.
In order to avoid such a development events CloudFlare offers sites that already have passed on SHA-2, use the backup SHA-1 certification for browsers that do not support the new standard. Thus, modern browsers will work with SHA-2, but users of older versions will not be left behind and lose their last defense. The company has already made the first step for the realization of their initiatives: CloudFlare all customers will receive a back support SHA-1 (can be switched off, of course).
Other companies also support the idea of extending the life of the SHA-1. For preservation of the temporary support of the algorithm are the Alibaba and Facebook. According to Prince, indifference becomes larger, because only in the last week more than 4000 sites of the top 100,000 added itself back support SHA-1.
To express their point of view and the head of Facebook security Alex Stamos (Alex Stamos). In his blog, he agreed with the position of the Prince, saying that he shared the idea of the SHA-1 backup support. However, the Stamos is still the need to transition the industry to SHA-256 certificates, since insecurity SHA-1.
CloudFlare The company also announced that is working with the Mozilla organization. In 2016, developers plan to submit a joint open source project, through which the majority of websites fail to provide its visitors back support SHA-1.