Skip to Content

This Browser Upgrade Could Block Users in Developing Nations from Most of the Web

A more secure type of encryption will soon be required to protect Internet users’ data, but older devices don’t support it.
December 29, 2015

Fearing the loss of Internet users in some of the world’s poorest and most oppressed regions, technology providers Facebook and CloudFlare are calling for a gentler shift to a new Web encryption standard that will protect everything from social media websites to online transactions.

People in developing nations, who often rely on feature phones as their main connection to the Internet, will be the hardest hit by the SHA-1 retirement.

Beginning on January 1, browsers will begin phasing out what’s known as the SHA-1 algorithm, with the goal of replacing it with its successor, SHA-2, by 2017. Facebook and CloudFlare, which provides security and speedy connections for Web pages, would like to allow users with SHA-2-incompatible devices to continue using SHA-1, while still sunsetting SHA-1 for the rest of the world.

When Internet users browse an encrypted website, the two-way exchange of information is protected in part by an encryption tool called a hash function. These algorithms turn any message into a unique jumble of letters and numbers that assures the information came from the right source. If you see “https” in your URL, the website you are visiting may use SHA-1. It’s these sites that will begin to be blocked from a small population of Web users later this week.

Since the mid-1990s, two hash functions have been the primary protectors of consumers’ browsers. As computing power drops in cost, the ease with which the tools can be cracked has grown. The second one, called the MD5 algorithm, was retired in 2008 after researchers exposed serious security flaws. The cost to spoof an SHA-1 hash function today is estimated to be around $100,000—a number that will continue to drop.

“People have sort of said, ‘Hey we’ve seen this movie before,’ and we know what is potentially coming and the risk is getting higher and higher,” CloudFlare CEO Matthew Prince says.

The most effective solution is to replace SHA-1 with the more sophisticated SHA-2. But while MD5 and SHA-1 have been compatible with consumer devices from the start, SHA-2 was released in 2001. People with old devices—predominantly low-cost feature phones used in developing nations in Asia and Africa—could be cut off from access to encrypted websites and not have the resources to upgrade. CloudFlare estimates 6.08 percent of browsers in China do not have support for SHA-2. In Syria, it’s 3.63 percent.

Richard Barnes, the head of Firefox security at Mozilla, says the company has found only 3 percent of Web traffic warrants using SHA-1.

“Interrupting these users’ experiences is actually good for the Web,” Barnes says. “Using old software is dangerous; in addition to requiring broken cryptography, old software usually has other security problems that have been fixed in more current versions.”

If there is any reason to continue supporting SHA-1, it’s so users have time to download new software that supports the upgrade, Barnes says. Firefox actually switched off SHA-1 support last year, but then reinstated it after noticing a huge drop in Firefox downloads. People with older browsers couldn’t connect to mozilla.org to download the new SHA-2 compatible software.

As computing costs continue to drop, SHA-2 will eventually become weak and necessary to replace. Many current devices do not support SHA-3. Technology like quantum computing could suddenly make the whole line of algorithms instantly breakable.

“This is an exercise that we’re going to have to go through time and time and time again,” Prince says. “Putting in place a mechanism to responsibly support the past while migrating to the future is a good thing and will make that migration much easier.”

Keep Reading

Most Popular

A view of clouds illuminated by sunlight
A view of clouds illuminated by sunlight

We can’t afford to stop solar geoengineering research

It is the wrong time to take this strategy for combating climate change off the table.

conceptual illustration showing various women's faces being scanned
conceptual illustration showing various women's faces being scanned

A horrifying new AI app swaps women into porn videos with a click

Deepfake researchers have long feared the day this would arrive.

Death and Jeff Bezos
Death and Jeff Bezos

Meet Altos Labs, Silicon Valley’s latest wild bet on living forever

Funders of a deep-pocketed new "rejuvenation" startup are said to include Jeff Bezos and Yuri Milner.

ai learning to multitask concept
ai learning to multitask concept

Meta’s new learning algorithm can teach AI to multi-task

The single technique for teaching neural networks multiple skills is a step towards general-purpose AI.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.