SAN FRANCISCO — On the morning of Jan. 1, 2016, anyone with a cell phone more than five years old will be unable to access the encrypted web — which includes sites like Facebook, Google, and Twitter — according to a new plan to upgrade the way those sites are verified.
It might not be a big deal in New York or San Francisco, where a 5-year-old phone is treated as an antique, but in some parts of the developing world up to 7% of internet users could find themselves suddenly cut off from the world’s most popular sites, according to research recently published by Facebook and CloudFlare.
“This is a story about encryption and the conflict between how you support the future and the past at the same time,” said Matthew Prince, CEO of CloudFlare, during an interview with BuzzFeed News. “It is important to remember that the internet is not just guys with the newest laptops and an iPhone 6."
The “why” behind why this is happening has to do with how websites tell you they are secure. Despite the heated debate over encryption technology currently being waged in Washington, much of the web already is encrypted. The "https" and little green lock at start of many URLs is a sign that that site has been certified, and that your browser can trust that you are visiting the real version of Google, Facebook, or your bank, rather than an imitation.
Websites are encrypted through what's called a "cryptographic hashing algorithm" — basically a code that the website you're visiting is put into that is then translated by your browser, provided the site is the real deal. The problem is that the current version, called SHA-1, is no longer safe, according to researchers who announced this October that they would be able to break the technology by the end of the year. So the CA/Browser Forum, the industry group that sets encryption policy, announced that as of midnight Jan. 1, it will no longer issue SHA-1 certificates. Instead, it'll be opting for the new, stronger SHA-2 certificates.
“What the folks on the CA/Browser Forum say is that we should force people to move into the future, and that is a compelling argument. But we were studying what the potential effects of this were… and the problem is that people across the world, most of them in the developing world, use old phones or desktops that don’t update themselves, and they won’t be able to access the internet,” said Prince. “We didn’t want to be hyperbolic. We wanted to be realistic. For the developing world, on average, 4 to 5% of visitors will simply be cut off.”
A full country list, showing the percentage of people who will be cut off, is on CloudFlare's blog, but some of the most affected countries will be Yemen (5.25% of browsers), Egypt (4.8%), and China, with over 6% of the country no longer being able to safely access encrypted sites. It might not seem like a lot, but Prince says over 37 million people could be affected.
These are some of the numbers published by CloudFlare. According to cybersecurity experts, Facebook's numbers of estimated people affected are even higher.
In a blog post published last week, Facebook chief security officer Alex Stamos wrote:
We don't think it's right to cut tens of millions of people off from the benefits of the encrypted Internet, particularly because of the continued usage of devices that are known to be incompatible with SHA-256. Many of these older devices are being used in developing countries by people who are new to the Internet, as we learned recently when we rolled out TLS encryption to people using our Free Basics Platform. We should be investing in privacy and security solutions for these people, not making it harder for them to use the Internet safely.
Both Stamos and Prince have called on the CA/Browser Forum to roll back some of the requirements for the Jan. 1 deadline. Facebook has suggested its own fix, building a smart mechanism that allows certificates to be switched based on the browser. Older browsers will receive the SHA-1 certificate and newer ones the SHA-2. The code for Facebook’s mechanism was made public on its site for other developers to use.
On Friday, Facebook and Cloudflare sent their proposal for a fix to the CA/Browser forum writing, "if adopted this ballot would permit continued use of SHA1 certificates past the depreciation deadline (to support older devices) but give newer browsers an easy way to reject SHA1 for users."
Companies like Mozilla, which updated its early site to SHA-2, said then that they saw a significant decrease in downloads, though they say the problem is now fixed.
"Mozilla has implemented mechanisms that will allow users of old browsers, including those which do not support SHA-2, to download Firefox. Firefox supports SHA-2 on all platforms, including older ones," said Chris More, head of Firefox Growth and Analytics, to BuzzFeed News.
Jeremy Rowley, a CA/Browser Forum representative for Digicert, a major certificate-issuing authority, told BuzzFeed News that while the group sees the move to SHA-2 as necessary from a security standpoint, it sees the points raised by Facebook and CloudFlare as valid.
"We support Facebook’s recommendation that there should be something to do rather than cutting out all these people at the same time," said Rowley. He said Facebook was expected to submit a timeline for its proposal by the end of the working day Monday, but by 5 p.m PST it was unclear if Facebook's proposal has been finished.
"There is a growing interest in Facebook's proposal, but it will require all the browsers to consent in some way... that includes Google, Microsoft, Apple, and Mozilla," said Rowley.
But others have criticized the entire process, including Ryan Sleevi, a software engineer at Google, whose Twitter feed has become a repository for those who think the entire CA/Browser system needs to be changed.
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Got a confidential tip? Submit it here.