Skip to Content

This Browser Upgrade Could Block Users in Developing Nations from Most of the Web

A more secure type of encryption will soon be required to protect Internet users’ data, but older devices don’t support it.
December 29, 2015

Fearing the loss of Internet users in some of the world’s poorest and most oppressed regions, technology providers Facebook and CloudFlare are calling for a gentler shift to a new Web encryption standard that will protect everything from social media websites to online transactions.

People in developing nations, who often rely on feature phones as their main connection to the Internet, will be the hardest hit by the SHA-1 retirement.

Beginning on January 1, browsers will begin phasing out what’s known as the SHA-1 algorithm, with the goal of replacing it with its successor, SHA-2, by 2017. Facebook and CloudFlare, which provides security and speedy connections for Web pages, would like to allow users with SHA-2-incompatible devices to continue using SHA-1, while still sunsetting SHA-1 for the rest of the world.

When Internet users browse an encrypted website, the two-way exchange of information is protected in part by an encryption tool called a hash function. These algorithms turn any message into a unique jumble of letters and numbers that assures the information came from the right source. If you see “https” in your URL, the website you are visiting may use SHA-1. It’s these sites that will begin to be blocked from a small population of Web users later this week.

Since the mid-1990s, two hash functions have been the primary protectors of consumers’ browsers. As computing power drops in cost, the ease with which the tools can be cracked has grown. The second one, called the MD5 algorithm, was retired in 2008 after researchers exposed serious security flaws. The cost to spoof an SHA-1 hash function today is estimated to be around $100,000—a number that will continue to drop.

“People have sort of said, ‘Hey we’ve seen this movie before,’ and we know what is potentially coming and the risk is getting higher and higher,” CloudFlare CEO Matthew Prince says.

The most effective solution is to replace SHA-1 with the more sophisticated SHA-2. But while MD5 and SHA-1 have been compatible with consumer devices from the start, SHA-2 was released in 2001. People with old devices—predominantly low-cost feature phones used in developing nations in Asia and Africa—could be cut off from access to encrypted websites and not have the resources to upgrade. CloudFlare estimates 6.08 percent of browsers in China do not have support for SHA-2. In Syria, it’s 3.63 percent.

Richard Barnes, the head of Firefox security at Mozilla, says the company has found only 3 percent of Web traffic warrants using SHA-1.

“Interrupting these users’ experiences is actually good for the Web,” Barnes says. “Using old software is dangerous; in addition to requiring broken cryptography, old software usually has other security problems that have been fixed in more current versions.”

If there is any reason to continue supporting SHA-1, it’s so users have time to download new software that supports the upgrade, Barnes says. Firefox actually switched off SHA-1 support last year, but then reinstated it after noticing a huge drop in Firefox downloads. People with older browsers couldn’t connect to to download the new SHA-2 compatible software.

As computing costs continue to drop, SHA-2 will eventually become weak and necessary to replace. Many current devices do not support SHA-3. Technology like quantum computing could suddenly make the whole line of algorithms instantly breakable.

“This is an exercise that we’re going to have to go through time and time and time again,” Prince says. “Putting in place a mechanism to responsibly support the past while migrating to the future is a good thing and will make that migration much easier.”

Keep Reading

Most Popular

DeepMind’s cofounder: Generative AI is just a phase. What’s next is interactive AI.

“This is a profound moment in the history of technology,” says Mustafa Suleyman.

What to know about this autumn’s covid vaccines

New variants will pose a challenge, but early signs suggest the shots will still boost antibody responses.

Human-plus-AI solutions mitigate security threats

With the right human oversight, emerging technologies like artificial intelligence can help keep business and customer data secure

Next slide, please: A brief history of the corporate presentation

From million-dollar slide shows to Steve Jobs’s introduction of the iPhone, a bit of show business never hurt plain old business.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.