How new encryption standard could leave poor Web users exposed

Even though an online encryption standard adopted Jan. 1 is meant to make the Web safer, Mozilla and Symantec opted to make an exception to the protocol so that people whose devices can't support the upgrade aren't put at risk.

Even as fluid as the digital world can sometimes seem, change is never easy online.

As leading tech companies have attempted to push for websites to adopt stronger encryption standards, which can safeguard critical data as it moves around the Internet, some older browsers and computers are not able to support many of the updated protocols needed to enhance digital security.

That's especially the case in the developing world, where many people still rely on older devices and Web browsers to get online and where government surveillance is often the most pervasive.

Therefore, late last month, Mozilla and Symantec announced they would make an exception to rules meant to take effect Jan. 1 to move the Web away from an insecure encryption standard. That way, companies that haven't been able to make the technical upgrades to take advantage of the more robust standard will still have additional time to switch over without cutting users off from basic digital security protections.

The decision follows an intense debate in technology and cybersecurity circles about how to transition the Web to stronger encryption standards that could enhance security for the vast majority of users but leave some of the most vulnerable Internet users more exposed to state surveillance and criminal scams.

"The question isn't really whether people are going to move to [the new standard]," said Melanie Ensign, a security spokesperson for Facebook. "The real question is whether we leave the door open for [the old standard] to be used at all, by anyone, during the transition.”

SHA-1 v. SHA-2

At issue is SHA-1, an encryption algorithm used in the Web protocol called secure HTTP, or HTTPS, that’s at the heart of how the Web works. HTTPS has become the standard for online banking and commerce, and it’s increasingly common on social media, federal government sites, and even news sites.

Here's how it works: After some verification, a certificate authority uses a Secure Hashing Algorithm, or SHA, to sign a digital certificate for a website that wants to use HTTPS. When a user connects to the site, their browser examines that certificate and, if it checks out, establishes a secure connection. The user then has some assurance that the site is what it says it is, and that the content of their communication with the site is encrypted. Most Web browsers show a lock icon or a similar indicator in the address bar for HTTPS sites.

In 2012, cryptography experts estimated that creating a forged SHA-1 certificates could be affordable for organized crime by 2018. The cheap availability of cloud computing has moved that timeline up dramatically. In response, the security community has move away from SHA-1 to a more secure standard, called SHA-2.

Certificate authorities stopped issuing new SHA-1 certificates on Jan. 1. Microsoft, Google, and Mozilla products will show increasingly severe error messages on websites that use existing SHA-1 certificates. Eventually, their products will stop supporting SHA-1 altogether. That’s spurred websites to move from SHA-1 to SHA-2 quickly. As they do, outdated phones and browsers generally either default to an unencrypted version of the website or will be unable to view the site altogether.

(A relatively small number of sites, including Facebook, can use either SHA-1 or SHA-2 encryption, as necessary. More on that later.)

As Passcode reported in December, older technology that cannot use SHA-2 is particularly common in many poorer nations. Just 0.07 percent of US browsers don’t support SHA-2, according to data published last December by CloudFlare. By contrast, 6.1 percent of browsers in China, 5.2 percent of browsers in Yemen, and 4.8 percent of browsers in Egypt don’t support it.

Those numbers may seem small, but they represent millions of users in those countries, according to Ms. Ensign of Facebook. And while some of those users can upgrade to a newer browser, others access the Web using phones that will never be able to support SHA-2.

Faced with the possibility of cutting off millions of users, Ensign fears websites in those countries could forego encryption altogether.

"There's a possibility that the transition will force people to upgrade," Ensign tells Passcode. "But the second possibility, which is actually more likely in developing parts of the world, is that people are actually going to be using the Internet in unencrypted modes."

The networking problem 

It’s not necessarily that simple, according to Eric Mill, a security expert who’s been vocal about the need to move away from SHA-1.

While some users do have out-of-date technology, he says, others access the Web through a router or other middle box networking equipment that downgrades their connections. That’s a matter of companies and institutions not upgrading their systems, not people who can’t access new technology. The data published by CloudFlare isn’t detailed enough to distinguish between the two cases, according to Mr. Mill.

"If an entire company can't access most of the secure Web, the company is going to fix it. And if a person in a war-torn country can't access the secure Web, their options are a little different," Mill said. "Certainly there's more urgency to the digital divide problem than to the middle-box problem."

John Graham-Cumming, CloudFlare’s chief technology officer, could not immediately say what percentage of people in CloudFlare’s data had problems using SHA-2 because a middle box downgraded their connection, rather than because of an outdated browser or feature phone.

The recently announced exception to the Jan. 1 encryption standard deadline highlights the messiness of the transition to SHA-2.

For instance, the payment provider Worldpay PLC recently approached Mozilla through its certificate authority, Symantec, to get new SHA-1 certificates for its payment terminals, according to a blog post by Richard Barnes, Firefox security lead at Mozilla. The terminals use SHA-1 to transmit credit card data over the Internet to the company’s servers, and they don’t yet support SHA-2. Without new SHA-1 certificates, they’d be useless.

It’s a position many companies have found themselves in. Whether it’s routers or payment terminals, many business devices rely on public certificate authorities for their encryption. That’s a problem, according to Mill, because what’s best for the public Internet — like no longer issuing new SHA-1 certificates — isn’t necessarily best for a company’s internal applications.

"Essentially, the public interest broadly is now intruding on your enterprise interests in a way that I don't think most enterprises realize," Mill said. "Enterprises, they don't quite get the [certificate] issuance threat, and they don't quite get what the public trusted root is there for." Unlike other forms of encryption, like PGP, Mr. Mill says the system of certificate authorities and trusted root certificates allows for seamless public encryption while browsing the Web.

A security fail-safe?

In December, CloudFlare and Facebook put forward a proposal at the CA/Browser Forum – the trade group that regulates the HTTPS certificate process – that would have created a new class of temporary SHA-1 certificates called Legacy Validated (LV). Under the proposal, certificate authorities would have been able to issue LV certificates after the Jan. 1 cutoff as long as a site confirmed it would only serve the SHA-1 certificate to older browsers or devices. 

The LV proposal was part of CloudFlare’s larger plan for handling the transition, laid out in a blog post by its chief executive officer, Matthew Prince, last December. The company encouraged sites to set up a fallback system that would serve more secure SHA-2 certificates to modern browsers while serving SHA-1 certificates to browsers that can’t use the new standard. 

"We also are fully behind the push to SHA-2. It's just a question of what do you do in a transitional period," said John Graham-Cumming, CloudFlare’s chief technology officer. "How do you make sure people don't suddenly lose the Web, or lose the encrypted Web?" 

CloudFlare’s proposal received strong pushback from several other members of the CA/Browser Forum, and the company is going ahead with a backup plan, according to Mr. Graham-Cumming. Allowing certificate authorities to continue issuing SHA-1 certificates, even in a limited and temporary way, will increase the risk of forgeries, many argued, and potentially discourage companies and users from upgrading. 

"There are not a lot of messages left to send that are effective," said Mill, the security expert, “beyond starting to actually degrade service.”