Skip to Content

This Browser Upgrade Could Block Users in Developing Nations from Most of the Web

A more secure type of encryption will soon be required to protect Internet users’ data, but older devices don’t support it.
December 29, 2015

Fearing the loss of Internet users in some of the world’s poorest and most oppressed regions, technology providers Facebook and CloudFlare are calling for a gentler shift to a new Web encryption standard that will protect everything from social media websites to online transactions.

People in developing nations, who often rely on feature phones as their main connection to the Internet, will be the hardest hit by the SHA-1 retirement.

Beginning on January 1, browsers will begin phasing out what’s known as the SHA-1 algorithm, with the goal of replacing it with its successor, SHA-2, by 2017. Facebook and CloudFlare, which provides security and speedy connections for Web pages, would like to allow users with SHA-2-incompatible devices to continue using SHA-1, while still sunsetting SHA-1 for the rest of the world.

When Internet users browse an encrypted website, the two-way exchange of information is protected in part by an encryption tool called a hash function. These algorithms turn any message into a unique jumble of letters and numbers that assures the information came from the right source. If you see “https” in your URL, the website you are visiting may use SHA-1. It’s these sites that will begin to be blocked from a small population of Web users later this week.

Since the mid-1990s, two hash functions have been the primary protectors of consumers’ browsers. As computing power drops in cost, the ease with which the tools can be cracked has grown. The second one, called the MD5 algorithm, was retired in 2008 after researchers exposed serious security flaws. The cost to spoof an SHA-1 hash function today is estimated to be around $100,000—a number that will continue to drop.

“People have sort of said, ‘Hey we’ve seen this movie before,’ and we know what is potentially coming and the risk is getting higher and higher,” CloudFlare CEO Matthew Prince says.

The most effective solution is to replace SHA-1 with the more sophisticated SHA-2. But while MD5 and SHA-1 have been compatible with consumer devices from the start, SHA-2 was released in 2001. People with old devices—predominantly low-cost feature phones used in developing nations in Asia and Africa—could be cut off from access to encrypted websites and not have the resources to upgrade. CloudFlare estimates 6.08 percent of browsers in China do not have support for SHA-2. In Syria, it’s 3.63 percent.

Richard Barnes, the head of Firefox security at Mozilla, says the company has found only 3 percent of Web traffic warrants using SHA-1.

“Interrupting these users’ experiences is actually good for the Web,” Barnes says. “Using old software is dangerous; in addition to requiring broken cryptography, old software usually has other security problems that have been fixed in more current versions.”

If there is any reason to continue supporting SHA-1, it’s so users have time to download new software that supports the upgrade, Barnes says. Firefox actually switched off SHA-1 support last year, but then reinstated it after noticing a huge drop in Firefox downloads. People with older browsers couldn’t connect to mozilla.org to download the new SHA-2 compatible software.

As computing costs continue to drop, SHA-2 will eventually become weak and necessary to replace. Many current devices do not support SHA-3. Technology like quantum computing could suddenly make the whole line of algorithms instantly breakable.

“This is an exercise that we’re going to have to go through time and time and time again,” Prince says. “Putting in place a mechanism to responsibly support the past while migrating to the future is a good thing and will make that migration much easier.”

Keep Reading

Most Popular

open sourcing language models concept
open sourcing language models concept

Meta has built a massive new language AI—and it’s giving it away for free

Facebook’s parent company is inviting researchers to pore over and pick apart the flaws in its version of GPT-3

transplant surgery
transplant surgery

The gene-edited pig heart given to a dying patient was infected with a pig virus

The first transplant of a genetically-modified pig heart into a human may have ended prematurely because of a well-known—and avoidable—risk.

Muhammad bin Salman funds anti-aging research
Muhammad bin Salman funds anti-aging research

Saudi Arabia plans to spend $1 billion a year discovering treatments to slow aging

The oil kingdom fears that its population is aging at an accelerated rate and hopes to test drugs to reverse the problem. First up might be the diabetes drug metformin.

Yann LeCun
Yann LeCun

Yann LeCun has a bold new vision for the future of AI

One of the godfathers of deep learning pulls together old ideas to sketch out a fresh path for AI, but raises as many questions as he answers.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.