Slashdot Mirror

← Back to Stories (view on slashdot.org)

SHA-1 Cutoff Could Block Millions of Users From Encrypted Websites (csoonline.com)

Posted by Soulskill on from the privacy-versus-convenience dept.

itwbennett writes: As previously reported on Slashdot, browser makers are considering an accelerated retirement of the older and increasingly vulnerable SHA-1 function. But Facebook and CloudFlare are warning some 37 million users of old browsers and operating systems that don't support SHA-2 will be left without access to encrypted websites. The majority of them are located in some of the "poorest, most repressive, and most war-torn countries in the world," CloudFlare's CEO Matthew Prince said Wednesday in a blog post. Facebook has solved this problem by building a mechanism that allows its certificates to be switched automatically based on the browser used by the visitor.

5 of 146 comments (clear)

  1. Facebook -- ??? by plover · · Score: 3, Insightful

    So let me see if I understand Facebook's approach here: there are non-secure certificates. Facebook will fix the problem by downgrade connections to use non-secure certificates. Bad guys would never pretend to need a non-secure certificate. Therefore, Facebook remains safe?

    --
    John
    1. Re:Facebook -- ??? by Anonymous Coward · · Score: 4, Insightful

      Nope.

      Here's how this spins out.

      If you got a nice shiny new SHA-2-only browser, and you go to the real Facebook, it has a SHA-2 cert and everything works, and you're safe
      If you got a crappy browser that can't handle SHA-2, and you go to the real Facebook, it shows a SHA-1 cert, which you trust, you are at risk, but only because you've got a crappy browser. Hate the risk? Get a newer browser
      If you got a nice shiny new SHA-2-only browser and a bad guy pretends to be Facebook, sends the SHA-1 cert, your browser says "Ugh, insecure, No" and you're safe and the bad guy wasted their time
      If you got a crappy browser that can't handle SHA-2 and a bad guy pretends to be Facebook, they might _if they spent a lot of money / resources_ fake you out. So you should have got a nice shiny new browser.

  2. Slashdot will remain accessible by Ksevio · · Score: 5, Insightful

    Fortunately, slashdot will remain accessible as it still hasn't entered the 2010's and added encryption yet!

  3. Re:I don't see this as a problem, except for.... by PPH · · Score: 1, Insightful

    And most of those relief agences are the ones that need it the most and can't afford to upgrade.

    Clicked 'Download Firefox Now'. Total cost: $0.

    --
    Have gnu, will travel.
  4. Re:Good by tepples · · Score: 3, Insightful

    Can't upgrade because reasons? Go cry to whomever is creating that problem for you

    Such crying would fall on deaf ears, as mobile device manufacturers routinely announced end of support not only for handsets that are still under 2-year financing but also for handsets that are still being sold in stores. And when "whomever" amounts to the "poorest, most repressive, and most war-torn countries in the world," as the article mentions, what recourse does one have?