The SHA-1 Sunset
Like many engineering fields, the practice of information security in the real world is all about finding an appropriate balance between two desirable goals. One of the most interesting areas of balance is between making systems secure against new attacks and providing security to the broadest population. This dynamic is readily apparent in the debate around the upcoming sunset of the SHA-1 hash algorithm, and my colleagues and I at Facebook believe that the current path forward should be reexamined.
Our friends at CloudFlare have written an excellent post on the subject of SHA-1 certificates, and I would suggest you read their post for a good background on the issue.
Facebook's data shows that 3-7% of browsers currently in use are not able to use the newer SHA-256 standard, meaning that tens of millions of people will not be able to securely use the Internet after December 31st. A disproportionate number of those people reside in developing countries, and the likely outcome in those counties will be a serious backslide in the deployment of HTTPS by governments, companies and NGOs that wish to reach their target populations.
After discussing this issue with my colleagues at Facebook, we came together on the following points:
- The recent advancements in generating SHA-1 collisions do indicate that the industry should transition to SHA-256 certificates.
- We support the removal of SHA-1 support from the latest browser releases.
- Facebook has found success running a large TLS termination edge with certificate switching, where we intelligently choose which certificate a person sees based upon our guess as to the capabilities of their browser. This allows us to provide HTTPS to older browsers using SHA-1 while giving newer browsers the security benefits of SHA-256.
- We don't think it's right to cut tens of millions of people off from the benefits of the encrypted Internet, particularly because of the continued usage of devices that are known to be incompatible with SHA-256. Many of these older devices are being used in developing countries by people who are new to the Internet, as we learned recently when we rolled out TLS encryption to people using our Free Basics Platform. We should be investing in privacy and security solutions for these people, not making it harder for them to use the Internet safely.
Taking these ideas into account, I support CloudFlare's proposal for a different approach. Namely, the CA/Browser Forum should create a new type of Legacy Verified certificate that should only be issued to organizations that have demonstrated they are offering SHA-256 certificates to modern browsers. Such verification can be automated or manual, and appropriate measures can be put in place to reduce the risk of a collision attack. Those protections could include requiring LV applicants to have already passed OV or EV verification, as well as technical best practices such as serial number randomization. If this change cannot be implemented by December 31st, then we call on the CA/B Forum to delay the implementation of the SHA-1 rules for the period necessary to establish standards for Legacy certificates.
Facebook has already open sourced the code we use for certificate switching as part of our Proxygen HTTP library, and all are welcome to use it under the terms of our BSD-style license.
This is not an easy issue, and there are well-meaning people with good intentions who will disagree. We hope that we can find a way forward that promotes the strongest encryption technologies without leaving behind those who are unable to afford the latest and greatest devices.
