That green lock you see in your URL bar indicates an authentic and private connection. This certificate ensures both that your information remains within the trusted website’s bounds and that the website you’re visiting is actually the website it purports itself to be. When you log in to Facebook, in other words, you’re being promised both that a) your information — login, communications, photos, etc. — remains within the secure bounds of the site and b) Facebook is actually Facebook, not an impostor.
If someone were to crack a SHA-1 encrypted site, they’d have their hands on extremely valuable information — making the cost of the initial break-in negligible. An individual, an organization, or a nation could pose as Facebook, say, while intercepting whatever exchanges or private information they so desired to intercept. Another threat is a phishing attack, in which an individual, organization, or nation masquerades as a site in order to steal users’ information.
Given the insecurities of SHA-1, most major sites agree that the transition is overdue. There’s a downside, though. Internet users with old phones or desktops will not be able to access SHA-2-encrypted sites. Old phones or computers have virtual ceilings that preclude its programs or apps from updating. And SHA-2 will have a sort of “You Must Be This Tall to Ride” measure on browsers. Essentially, if your phone or computer is not “tall enough” — read: new enough, updated enough — to “ride,” SHA-2–encrypted sites will turn you away.
CloudFlare, who researched the problem and provided their own solution, listed 25 countries with the least support—and found that this list “overlaps with lists of the poorest, most repressive, and most war torn countries in the world.” Much of the developed world will be spared: in North America and Western Europe, over 99 percent of browsers are SHA-2 compatible. In China, however, the figure drops to about 93 percent, and in Cameroon, Yemen, Sudan, Egypt, Libya, Ivory Coast, Nepal, Ghana, and Nigeria it’s right around 95 percent. The exclusion percentage seems low, but taken in context it amounts to a staggering number of internet users.
The end result is that the overwhelming majority of users who will be turned away from the SHA-2 ride will be those who may most need to access the sites. (Think of Facebook and Twitter’s impact on the Arab Spring). In addition, countries that may still route infrastructure through outdated platforms will be made vulnerable to attack.
On December 31, 2015, some of the internet’s biggest sites will be off limits to almost 40 million users. A sensible but tough New Year’s resolution to upgrade encryption technology will block out about 5 percent of the developing world’s online population from secure, certified sites like Google, Facebook, and Twitter.
If your phone is more than five years old, you’ll be excluded, too.
It’s all due to a move to encryption technology SHA-2 from its predecessor, SHA-1. It’s a little confusing but, here it goes: Before SHA-1, mobile phones used encryption tech MD5, which, in 2008, was found to be insecure. It wasn’t until 2013 that MD5 was fully phased out, and SHA-1 became the rule.
Soon though, security experts cracked SHA-1. And with faster and faster computers, it’s getting cheaper and cheaper to crack SHA-1 sites: A 2012 study warned that while that year it would cost an estimated $2.77 million to do so, the figure in 2015 would fall to $700,000. (In 2018, the estimate dropped down to $173,000, and in 2021, it was a mere $43,000.) Now that it is 2015, though — as Ars Technica reports — “researchers believe that such an attack could be carried out this year for $75,000 to $120,000.”
This is worrisome, or noteworthy, for two reasons. First, the sites that require the highest levels of security are the sites that get the most traffic, the sites that are the most popular. Again, these include (but are not at all limited to) Google, Facebook, and Twitter, and their associated sites. Second, the users whose devices will not pass the bar are primarily located in developing nations, often nations ravaged by war and injustice.
CloudFlare’s solution, which Facebook is reproducing, is to enable “SHA-1 fallback.” Users who would otherwise be blocked out of CloudFlare or Facebook sites will instead be given access under SHA-1 protections. This is not an ideal solution — the security flaws will still exist — but at least it will be less exclusionary.
(We’ve already transitioned to SHA-2 here at Inverse. If you’re reading this article, then, you can rest assured that you will be able to access your favorite sites come 2016.)