Why millions will have restricted Internet access starting next week
Internet surfers may take that little green or gold lock in the corner of their Web browser for granted. But starting Jan. 1, 2016, it might go away for a small percentage of people across the globe, and millions of users could lose access to websites because of it.
It’s all to do with the “SHA-1 Sunset,” a phrase used by technology insiders to describe the expiration of support for a certain level of encryption. Over the next year, the algorithms older than SHA-1 level of encryption will no longer meet the trusted level of security for many websites, leaving as many as 37 million people unable to access them, according to research from Internet performance and security company CloudFlare.
It’s a routine update to a Web feature called the certificate signature hashing algorithm. But the change, decided by a consortium of vendors of Internet browser software, could disproportionately affect mobile devices in the developing world.
As a result, some of the world’s most vulnerable population will be left with only the selection of websites they can view without the needed safety protocols.
Encryption, certificates and algorithms
Here’s how it works, according Tim Erlin, director of IT security and risk strategy at Tripwire.
When your website connects to a browser, each sends and receives data. During the encryption process, the website and browser enter into a “conversation,” to use a metaphor. When they do so, they negotiate a secret, secure code to “speak” in, that’s different for every conversation.
Part of the negotiation between the browser and website is to agree to use the most complex language that both parties can understand, Erlin said.
“Hackers break that algorithm,” Erlin said. “Once its broken, it becomes much easier for a criminal to overhear your conversations. There should always be a plan to upgrade the algorithm because people are always looking to break it.”
Luckily, most people are protected from these types of hackers without any action on their part, since many websites and browsers default to encrypted versions, signified by the “s” in “https://.” Indeed, if you’re using an up-to-date browser, you probably were automatically upgraded to at least SHA-2 level algorithms, Erlin said.
Impact on the developing world
But older operating systems and browsers, such as Windows XP, may no longer support updates to newer encryption levels, said Erlin. And more encryption requires more processing power, leaving older mobile devices, mostly used in developing countries, too jammed up to handle secure browsing.
That may leave users with phones older than five years with an error message when they try to access sites that don’t offer un-encrypted versions — a decision that varies for each individual site, Erlin said.
SHA-2 support in Western Europe and North America is universally more than 99 percent, according to new CloudFlare research. But closer to 5 percent of Internet users in countries like China, Cameroon, Yemen, Sudan, Egypt and Libya user browsers without SHA-2 support.
“When you trade in your cellphone in a country like United States, those cellphones make their way to the developing world,” Matthew Prince, co-founder of CloudFlare, told CNBC’s “Squawk Alley” on Monday. “And those phones are ending up in the hands of people who now won’t be able to access parts of the encrypted Internet.”
Worldwide, a population roughly the size of California doesn’t have the needed support, CloudFlare estimates.
“Unfortunately, this list largely overlaps with lists of the poorest, most repressive, and most war-torn countries in the world,” CloudFlare wrote. “In other words, after Dec. 31, most of the encrypted Web will be cut off from the most vulnerable populations of Internet users who need encryption the most. And, unfortunately, if we’re going to bring the next 2 billion Internet users online, a lot of them are going to be doing so on secondhand Android phones, so this problem isn’t going away anytime soon.”
Debate among technology companies
Because SHA-2 support is more limited than during previous certificate signature hashing algorithm upgrades, technology companies have been forced to debate an “appropriate balance between two desirable goals … making systems secure against new attacks and providing security to the broadest population,” wrote Facebook‘s chief security officer, Alex Stamos, in a blog post.
Google has been the most aggressive at turning off the old encryption support. Alibaba, on the other hand, has made sure its sites fall back to support the older versions of encryption technology, Prince said.
“We will continue to have to deprecate older standards, and move to new standards as computers get faster over the next few years,” Prince said. “You’ll see some of these users with the older phones having a new incentive to go and upgrade. But obviously, in places like Syria, where over 4 percent of users will suddenly lose access to encryption, they’re not going to be running down to their AT&T store to get new phones.”
While Facebook sees the need for the upgrade, Stamos expressed doubts for the way the changeover is being carried out. But he acknowledged many well-meaning people disagree with Facebook’s proposed workaround: a new type of legacy certificate.
“We don’t think it’s right to cut tens of millions of people off from the benefits of the encrypted Internet, particularly because of the continued usage of devices that are known to be incompatible with SHA-256,” Stamos wrote. “Many of these older devices are being used in developing countries by people who are new to the Internet. … We should be investing in privacy and security solutions for these people, not making it harder for them to use the Internet safely.”