When the SHA-1 security algorithm ceases to be used next year, it could make the Internet less safe for a lot of people. The algorithm offered access to encrypted sites–think more secure HTTPS websites–and was compatible with most browsers. Its successor SHA-256, however, will only be able to provide secure connections on more up-to-date browsers.
SHA-1 (Secure Hash Algorithm 1) is a function designed by the NSA and is a U.S. Federal Information Processing Standard.
SHA-1’s retirement was a long time coming: In recent years, the algorithm has proven to be less secure than previously thought. But as Facebook has pointed out, citizens of developing countries often don’t have the latest and greatest technology, which means the people who most need encrypted access to the Internet–those whose countries’ governments are tracking their every move–may be stripped of it. The company’s chief security officer, Alex Stamos, explained Facebook’s stance in a blog post published Wednesday:
We don’t think it’s right to cut tens of millions of people off from the benefits of the encrypted Internet, particularly because of the continued usage of devices that are known to be incompatible with SHA-256. Many of these older devices are being used in developing countries by people who are new to the Internet, as we learned recently when we rolled out TLS encryption to people using our Free Basics Platform. We should be investing in privacy and security solutions for these people, not making it harder for them to use the Internet safely.
The social network was supported in its opinion by security firm CloudFlare, which listed in its own post the countries–Syria, Yemen, and Sudan, to name a few–where SHA-256 was least likely to be compatible with browsers. “Unfortunately, this list largely overlaps with lists of the poorest, most repressive, and most war-torn countries in the world,” the company wrote. “In other words, after December 31 most of the encrypted web will be cut off from the most vulnerable populations of Internet users who need encryption the most.”
The two companies have suggested that, even after SHA-1 expires, it should be available on browsers that don’t play well with SHA-256.