We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Intelligent Machines

This Browser Upgrade Could Block Users in Developing Nations from Most of the Web

A more secure type of encryption will soon be required to protect Internet users’ data, but older devices don’t support it.

Fearing the loss of Internet users in some of the world’s poorest and most oppressed regions, technology providers Facebook and CloudFlare are calling for a gentler shift to a new Web encryption standard that will protect everything from social media websites to online transactions.

People in developing nations, who often rely on feature phones as their main connection to the Internet, will be the hardest hit by the SHA-1 retirement.

Beginning on January 1, browsers will begin phasing out what’s known as the SHA-1 algorithm, with the goal of replacing it with its successor, SHA-2, by 2017. Facebook and CloudFlare, which provides security and speedy connections for Web pages, would like to allow users with SHA-2-incompatible devices to continue using SHA-1, while still sunsetting SHA-1 for the rest of the world.

When Internet users browse an encrypted website, the two-way exchange of information is protected in part by an encryption tool called a hash function. These algorithms turn any message into a unique jumble of letters and numbers that assures the information came from the right source. If you see “https” in your URL, the website you are visiting may use SHA-1. It’s these sites that will begin to be blocked from a small population of Web users later this week.

Since the mid-1990s, two hash functions have been the primary protectors of consumers’ browsers. As computing power drops in cost, the ease with which the tools can be cracked has grown. The second one, called the MD5 algorithm, was retired in 2008 after researchers exposed serious security flaws. The cost to spoof an SHA-1 hash function today is estimated to be around $100,000—a number that will continue to drop.

“People have sort of said, ‘Hey we’ve seen this movie before,’ and we know what is potentially coming and the risk is getting higher and higher,” CloudFlare CEO Matthew Prince says.

The most effective solution is to replace SHA-1 with the more sophisticated SHA-2. But while MD5 and SHA-1 have been compatible with consumer devices from the start, SHA-2 was released in 2001. People with old devices—predominantly low-cost feature phones used in developing nations in Asia and Africa—could be cut off from access to encrypted websites and not have the resources to upgrade. CloudFlare estimates 6.08 percent of browsers in China do not have support for SHA-2. In Syria, it’s 3.63 percent.

Richard Barnes, the head of Firefox security at Mozilla, says the company has found only 3 percent of Web traffic warrants using SHA-1.

“Interrupting these users’ experiences is actually good for the Web,” Barnes says. “Using old software is dangerous; in addition to requiring broken cryptography, old software usually has other security problems that have been fixed in more current versions.”

If there is any reason to continue supporting SHA-1, it’s so users have time to download new software that supports the upgrade, Barnes says. Firefox actually switched off SHA-1 support last year, but then reinstated it after noticing a huge drop in Firefox downloads. People with older browsers couldn’t connect to mozilla.org to download the new SHA-2 compatible software.

As computing costs continue to drop, SHA-2 will eventually become weak and necessary to replace. Many current devices do not support SHA-3. Technology like quantum computing could suddenly make the whole line of algorithms instantly breakable.

“This is an exercise that we’re going to have to go through time and time and time again,” Prince says. “Putting in place a mechanism to responsibly support the past while migrating to the future is a good thing and will make that migration much easier.”

Cut off? Read unlimited articles today.

Become an Insider
Already an Insider? Log in.
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Basic.
  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.