Tuesday, December 29, 2015

HTTPS Lockout May Begin on January 2016

HTTPS Lockout
Zack Whittaker for Zero Day reports that in 2016, tens of millions of people around the world will face trouble accessing some of the most common encrypted websites like Facebook, Google and Gmail, Twitter, and Microsoft sites.

Why? Because their browser or device will be unable to read the new, more secure certificates.

SHA1, the cryptographic hashing algorithm that's been at the heart of the web's security for a decade, will be retired in a little over a year. Some say it could be cracked by the end of the year, essentially making it useless and weakening security for millions of users.

Certificate authorities said they will respond by no longer issuing SHA1 certificates at midnight, 1 January 2016, opting instead for SHA2 certificates. SHA2 is a significantly stronger algorithm that will last for many years to come. But there's a problem. A small but sizable portion of the internet's users don't have browsers or devices that are compatible with SHA2.

"We're about to leave a whole chunk of the internet in the past," said CloudFlare chief executive Matthew Prince, during a conversation in our New York newsroom in early October.

Encryption isn't important just for protecting your online banking, email accounts, and social networks. That green lit-up bar or padlock in your browser also verifies the integrity of a site, offering a strong level of assurance that the page has not been modified in any way.

More sites nowadays are adopting encryption because it costs little to nothing to implement.

In an age of daily data breaches, hacks, and mass surveillance, adopting a strong SHA2 algorithm is more important than ever. But browser makers and website owners alike thought they had more time.

Prominent security researchers thought SHA1 would last until about 2018, but now they think the SHA1 algorithm may be broken by the end of 2015.

The good news is that most website are already using the stronger SHA2 certificates. About 24 percent of SSL-encrypted websites still use SHA1 -- or, about 1 million websites.

That figure is declining every month, so much so that by the end of the year it could fall as low as 10 percent of all websites, meaning the vast majority of encrypted websites will be safe from SHA1 collision attacks.

For most people, there's nothing to worry about. The majority are already using the latest Chrome or Firefox browser, the latest operating system, or the newest smartphone with the latest software, which are compatible with the old SHA1-hashed websites and the newer SHA2-hashed websites.

But many, particularly those in developing nations, who are running older software, devices, and even "dumbphones," the candy-bar cellphones that have basic mobile internet, will face a brick wall, because their devices aren't up-to-date enough to even know what SHA2 is.

No comments:

Post a Comment