SHA-1 Cutoff Could Block Millions of Users From Encrypted Websites

itwbennett writes: As previously reported on Slashdot, browser makers are considering an accelerated retirement of the older and increasingly vulnerable SHA-1 function. But Facebook and CloudFlare are warning some 37 million users of old browsers and operating systems that don't support SHA-2 will be left without access to encrypted websites. The majority of them are located in some of the "poorest, most repressive, and most war-torn countries in the world," CloudFlare's CEO Matthew Prince said Wednesday in a blog post. Facebook has solved this problem by building a mechanism that allows its certificates to be switched automatically based on the browser used by the visitor.

Re:Facebook -- ???

[Errol+backfiring]

My first thought was a kind of "degrading man in the middle" attack. Alter the requests so that non-secure certificates are negotiated, then tune in to the less secure communication while the browsers show that the connection is secure. You'd still need a lot of computing power to crack the SHA-1 encrypted stream, but for criminals, either government or otherwise, that is not a huge problem.

Re:Pretty sure...

[Locke2005]

Problem for PCs is not browser availability or cost, problem is that for some people downloading a GByte of data to install a new browser is not feasible. Also, browsers are in everything now, including smartphones, smart TVs, and Nintendo DS, so you're stuck with what the hardware vendor supplies you. (Don't get me started on my Smart TV not showing videos because most hosts support video using Adobe Flash only, and Adobe refuses to license flash to most hardware manufacturers. HTML5 has been a standard for how many years now?)

Re:Free Oracle upgrades available everywhere

[mveloso]

Porting from Oracle to Postgres is free too, if you want everything to break.

They can't do this reliably

[madbrain]

The problem with that is that there is no actual way to detect that an old browser doesn't support SHA-2.
For example, older versions of Firefox/NSS since 2003 have supported SHA-2 server certificates, but not SHA-2 in TLS cipher suites as the MAC algorithm, which wasn't specified until years later.

The TLS ClientHello message does not specify which types of hash algorithm the client supports for certificates, only the list of cipher suites that the client supports.

Thus, Facebook, or anyone else, has no way of determining if a client really doesn't support SHA-2 server certificates.

What they are probably doing is assuming that clients that don't support SHA-2 MAC in TLS cipher suites . But that's a wrong assumption. Many older clients will be downgraded to SHA-1 server certificates as a result, even though they support SHA-2 certificates. And they will have no way of knowing that this happened.