First let’s define some terms.
Encryption: The primary purpose of encryption is to protect the confidentiality of digital data stored on computer systems or transmitted via the Internet or other computer networks. Modern encryption algorithms play a vital role in the security assurance of IT systems and communications as they can provide not only confidentiality, but also the following key elements of security:
- Authentication: the origin of a message can be verified.
- Integrity: proof that the contents of a message have not been changed since it was sent.
- Non-repudiation: the sender of a message cannot deny sending the message.
certificate: is an electronic document used to prove ownership of a public key. The certificate includes information about the key, information about its owner’s identity, and the digital signature of an entity that has verified the certificate’s contents are correct.
SHA-1 and SHA-2: SHA1 is what’s known as a cryptographic hash function. Like all hash functions, it takes a collection of text, computer code, or other message input and generates a long string of letters and numbers that serve as a cryptographic fingerprint for that message.
Just a note here, over 92% of all SSL certificates issued in 2014 were SHA-1 and then 98% of all SSL certificates (in 2014) were SHA-1. Why bother with 2014? Isn’t that in the past? Well, yes but this is going to affect users with equipment that is still using Windows Server 2003 (or older…..heaven forbid), XP (ditto on the older….), and possibly Windows Vista. So from this we can see that the users affected are going to be in third world countries, China because of the rampant pirating of Windows OS’es, and older users in America (Enterprise organizations and individual users alike).
It has been all of our worst nightmares for years now. What if we couldn’t use the Internet anymore? Well hold on there…it isn’t as bad as it sounds (I guess). What I am about to talk to you about will only affect your smartphones (and even then, not all phones). Ok, ok, what the h-e-… am I talking about?
Well, as of January 1, 2016 if you are using an older smartphone and/or desktop you may be cut off from the Internet’s most popular websites (ie: Facebook, Twitter, Google…). Why? It’s in the encryption. In fact, it has to do with how a website tells you it is encrypted and it is safe for you to use. It has to do with using the old system of encryption that (mostly) everybody uses right now or using the new replacement.
The CA/Browser Forum actually sets encryption policy for the Internet and they also issue certificates that tell website visitors that the site is safe and encrypted (you should be familiar with the https:// and the tiny green lock on the website address). Websites use something called a “cryptographic hashing algorithm”. The old one is SHA-1 and the new (and much stronger) one is SHA-2. In October 2015 it was pointed out to the CA/Browser Forum SHA-1 is no longer safe and by the end of this year it will be able to be broken. So as of January 1, 2016 they will no longer issue certificates (assuring the safety of the site) for SHA-1. They will instead issue SHA-2 certificates that are stronger and (obviously) safer.
So what you say. Just update it. That is just what the CA/Browser Forum wants to do. Just do it and force everybody to change. However, (as always) it is not that easy. Throughout the world anywhere from 4-7% of all users are using phones and/or laptops and desktops that are 5 years old or older. That is a problem. 4-5% of all users amounts to over 37 million users worldwide according to Matthew Prince of Cloudfare (CloudFlare, Inc. is a U.S. company that provides a content delivery network and distributed domain name server services, sitting between the visitor and the CloudFlare user’s hosting provider, acting as a reverse proxy for websites).
So in walks Facebook and Cloudfare to attempt to save the day. They have called on CA/Browser Forum to roll back some of the requirements of the January 1 deadline. Facebook has even offered their own fix. The suggest building a smart mechanism that would allow browsers to make the switch. Older browsers would stick with SHA-1 and newer browsers would utilize SHA-2. At this moment it is not clear whether CA/Browser Forum will accept the proposals from Cloudfare and Facebook.
Mozilla has already acted. They have coded their website that would allow users with older browsers (browsers that do not support SHA-2) to download Firefox which does support SHA-2.
So when you see that warning telling you that the certificate for the website you want has expired you will know why. You can go ahead and use it but none of the information you provide while on that site is protected. I certainly would not conduct banking business under those conditions. Google’s Chrome browser is labelling the https:// addresses you use (see below). Good luck and I will see you next time.