Those who haven't updated their web browsers in a while should probably think about doing so soon, according to Facebook.
The social media company says that in 2016, a number of major web browsers will stop supporting a key security algorithm called SHA-1. The replacement for that algorithm, SHA-2, won't work on older web browsers. Not only that, but according to Facebook many of the people who will be vulnerable when SHA-1 goes out of commission live in areas where Internet use is closely watched. Often they cannot update to newer versions because their older computers or phones don't support newer software.
"A disproportionate number of those people reside in developing countries, and the likely outcome in those countries will be a serious backslide in the deployment of HTTPS by governments, companies and NGOs that wish to reach their target populations," said Alex Stamos, Facebook's chief security office, in a blog post. Information is transmitted between users and websites via Hyper Text Transfer Protocol Secure (HTTPS), the secure version of the protocol used to send data between browsers and websites. HTTPS uses the SHA-1 algorithm, so when browsers don't have the SHA-1 algorithm (or an updated version of it), then HTTPS isn't secure as it should be.
According to Facebook, between 3 and 7 percent of all web browsers will be too old to use SHA-2. SHA-1 offers a number of security measures to help conceal what people are doing online. Recently, however, it has become easier for attackers to impersonate websites to spy on users.
The blog post highlights the fact that most of the people using these outdated web browsers are living in poorer countries. SHA-2 is supported by at least 98.31 percent of browsers worldwide, but cutting 1.69 percent off the encrypted Internet represents over 37 million people, security company CloudFlare notes. Those affected are often the most vulnerable populations of Internet users who need encryption the most, the company says, and as more users in underserved companies come online, many will be using older equipment so the problem will continue.
Facebook and CloudFlare are highlighting the end of the security tool, and CloudFlare notes it will affect many poor people. Both companies are calling for a change to how a web browser will handle SHA-1 once it is retired. According to the proposal, SHA-1 would still be in use for web browsers that can't support the new algorithm, what they call SHA-1 fallback. They recommend using SHA-2 signed certificates for modern browsers and "falling back" to SHA-1 certificates for browsers that cannot support SHA-2.
The firms are calling on the CA/Browser Forum to make the changes and support a two-tier security system. The CA/Browser Forum is the body that handles Internet browser security standards, but it has yet to respond to the proposal.
According to CloudFlare's calculations, it would cost $700,000 today to continue to generate SHA-1 collision, however by 2021 that number should fall to $43,000.