SHA-1 Deprecation: No Browser Left Behind

by Matthew Prince.

Welcome to the Internet. All Browsers Welcome

After December 31, 2015, SSL certificates that use the SHA-1 hash algorithm for their signature will be declared technology non grata on the modern Internet. Google's Chrome browser has already begun displaying a warning for SHA-1 based certs that expire after 2015. Other browsers are mirroring Google and, over the course of 2016, will begin issuing warnings and eventually completely distrust connections to sites using SHA-1 signed certs. And, starting January 1, 2016, you will no longer be able to get a new SHA-1 certificate from most certificate authorities.

For the most part, that's a good thing. Prohibitively difficult to forge certificate signatures are part of what keeps encryption systems secure. As computers get faster, the risk that, for any given hashing algorithm, you can forge a certificate with the same signature increases. If an attacker can forge a certificate then they could potentially impersonate the identity of a real site and intercept its encrypted traffic or masquerade as that site.

Deprecating Old Standards

This isn't the first time we've been through this exercise. The original hashing algorithm used for most certificate signatures in the early days of the web was MD5. In 2008, researchers demonstrated they were able to create a collision, generating a forged MD5-signed intermediate certificate that could then be used to impersonate any domain on the Internet. It took browser makers until 2013 to fully deprecate MD5 support and switch to the stronger SHA-1 algorithm. The good news was browsers, back to the first versions of Mozilla and Internet Explorer, supported SHA-1 alongside MD5 so the transition, while still painful, left virtually no one behind.

Computers keep getting faster and now SHA-1 is increasingly vulnerable to potential collision attacks. The estimate today is that it would likely cost around USD$700,000 to generate a SHA-1 collision. By 2021, the price is forecast to fall to just USD$43,000. There’s concern those estimates are optimistic, if anything. To ensure security, it therefore makes sense for modern browsers to deprecate SHA-1 support and move to the more secure SHA-256 algorithm, also known as SHA-2.

SHA-2: This Time It’s Different

Unfortunately, unlike with the deprecation of MD5, where SHA-1 was widely available across even legacy browsers, SHA-2 support is more limited. Windows XP older than Service Pack 3, for instance, has no SHA-2 support. In addition, many less than 5-year-old Android phones (pre-Gingerbread) don't support SHA-2 completely. Given how difficult some carriers make it to upgrade phones, many of these legacy phones are still in use today.

In a Silicon Valley tech company, where most employees get a new laptop every year and having a 5-year-old phone is unheard of, this may not seem like a problem. But the Internet is used by billions of people around the world and most of them don’t have the latest technology. To understand the impact, we spent the last few weeks testing browser connections to CloudFlare's network for SHA-2 support. We see approximately 1 trillion page views for more than 2.2 billion unique visitors every month, which gives us a pretty representative sample of global traffic.

SHA-1/SHA-2 browser support

Global SHA-2 Support, Not Equal

The seemingly good news is that globally, SHA-2 is supported by at least 98.31% of browsers. Cutting 1.69% off the encrypted Internet may not seem like a lot, but it represents over 37 million people. That's the equivalent of the population of California not having access to encryption unless they upgrade their devices. As SHA-2 only sites proliferate, if these users on SHA-1-only browsers try and access an encrypted site, they’ll see an error page that completely blocks their access.

Error page for SHA-1 failure

Now, if it were just a bunch of large enterprises in the United States that refused to get off old versions of Windows XP, then you could make an argument that this is actually a good thing. Unfortunately, the data shows that's not the case. The United States has 99.26% SHA-2 support, making it the 15th most modern browser market (out of more than 190 countries we saw traffic from during our test). In fact, SHA-2 support in Western Europe and North America is universally over 99%.

So where isn't SHA-2 supported? Here are the 25 countries with the lowest SHA-2 support:


Country Percentage of Browsers Without SHA-2 Support
China 6.08%
Cameroon 5.39%
Yemen 5.25%
Sudan 4.69%
Egypt 4.85%
Libya 4.83%
Ivory Coast 4.67%
Nepal 4.52%
Ghana 4.42%
Nigeria 4.32%
Ethiopia 3.82%
Iran 3.78%
Tanzania 3.72%
Syria 3.63%
Paraguay 3.53%
Angola 3.50%
Kenya 3.29%
Algeria 3.12%
Bahrain 3.09%
Nicaragua 3.08%
Myanmar 3.01%
Senegal 2.94%
Bangladesh 2.58%
Venezuela 2.58%
Pakistan 2.55%

We double-checked these numbers with other large Internet providers who had conducted similar surveys and confirmed their results were similar.

Unfortunately, this list largely overlaps with lists of the poorest, most repressive, and most war torn countries in the world. In other words, after December 31st most of the encrypted web will be cut off from the most vulnerable populations of Internet users who need encryption the most. And, unfortunately, if we're going to bring the next 2 billion Internet users online, a lot of them are going to be doing so on secondhand Android phones, so this problem isn't going away any time soon.

SHA-1 Fallback

The practical solution is to serve SHA-2 signed certificates for modern browsers and fall back to SHA-1 certificates for browsers that cannot support SHA-2. That ensures modern browsers can deprecate SHA-1 but we can continue to support users in the developing world on legacy devices.

That's what we have built for CloudFlare's customers. As of today, for all paid CloudFlare customers, we now automatically support SHA-1 fallback. (Free customers' SSL support was already limited to SHA-2 and modern browsers due to the need for SNI.) If you'd prefer not to fallback to SHA-1 you can disable the feature from the Crypto Application in the CloudFlare control panel. This is available for Business and Enterprise customers today and we’ll be adding support for disabling SHA-1 fallback before the end of the year for Pro customers.

image alt text

Who Else Is Falling Back?

CloudFlare isn't the only company doing this. In order to understand who else is supporting SHA-1 fallback we crawled the world's top 100,000 websites. While it's an exclusive club of sites that support SHA-1 fallback, the results are telling.

image alt text

For instance, Alibaba, the Chinese Internet commerce giant, supports SHA-1 fallback across many of its sites. That's not surprising given more than 6% of their Chinese customers could not securely buy from their online store if they only supported SHA-2.

Facebook also supports SHA-1 fallback across many of their sites. Again, that's not surprising given the company's breadth of user base and ambitions to bring more users online across the developing world.

Here is the exclusive club of non-CloudFlare sites in the top-100,000 that support SHA-1 fallback:


Website Notes
tmall.com Alibaba
taobao.com Alibaba
1688.com Alibaba
etao.com Alibaba
tmall.hk Alibaba
alitrip.com Alibaba
taiwan.tmall.com Alibaba
jiyoujia.com Alibaba
yunos.com Alibaba
facebook.com Facebook
whatsapp.com Facebook
fbcdn.net Facebook
messenger.com Facebook
fbsbx.com Facebook
fb.com Facebook
sogou.com Primarily Chinese audience
voc.com.cn Primarily Chinese audience
dresslink.com Primarily Chinese audience
mongodb.com
220-volt.ru
infostart.ru SHA-1 certificate expires in 2024 (!)
sailthru.com
invitro.ru
relax.by
ligabbva.com
deindeal.ch
webtatic.com
liftmaster.com
jobvite.com SHA-1 certificate expired
udsm.ac.tz SHA-1 certificate expired
rdvmedicaux.com SHA-1 certificate expired
univ-nantes.fr SHA-1 certificate expired
l2inc.com SHA-1 certificate expired
hellweg.de SHA-1 certificate expired
meintrendyhandy.de SHA-1 certificate expired
inweb24.com SHA-1 certificate expired
planetnatural.com SHA-1 certificate expired


CloudFlare, as of today, adds another 4,000 sites of the top 100,000 to this soon-to-be-less-exclusive club.

Chicken & Egg: Mozilla

One example brought home the importance of SHA-1 fallback. Mozilla, the maker of Firefox, has always been a proponent of strong cryptography. Firefox has supported SHA-2 since its first version. As a result, earlier this year they switched their site to a SHA-2 certificate. In retrospect, the results weren't a surprise. The Firefox team has spoken publicly about the drop in downloads they experienced when they moved mozilla.org to only support SHA-2 certificates.

Mozilla logo

It's a classic chicken-and-egg problem: customers with legacy browsers can't upgrade if the site where you download the modern browser requires a modern browser. So, as much as it's convenient for those of us with brand new MacBooks and 4k monitors to say that everyone should just upgrade their browser, the case of Mozilla proves that's literally impossible if we force a SHA-2 only Internet.

We worked with the Mozilla team as we developed our SHA-1 fallback feature. They helped us kick the tires on the feature and ensure that we were able to fingerprint connections to deliver the most secure experience possible based on what the browser could support. In the new year, we'll open source the algorithm we're using so even sites that are not on CloudFlare can properly support SHA-1 fallback.

Recommendations

What should the industry do? Along with Facebook, we propose the following to ensure the most up-to-date security for modern browsers while responsibly supporting legacy clients that can't support SHA-2. First, modern browsers should continue to remove support for SHA-1 certificates. There is no doubt that their security is in question. If a user is running a modern browser, all connections should require SHA-256 or better for the certificate signature algorithm.

Second, we urge the CA/B Forum, the industry group that sets encryption policy for certificate authorities and browsers, to create a new class of certificate. Today certificates come in multiple classes: Domain Validated (DV), which can be issued just by proving someone controls a domain; Organization Validated (OV), which can be issued if the domain is validated and some vetting is done on the organization requesting the certificate; and Extended Validation (EV), which require a more thorough vetting of the organization requesting the certificate.

We propose a new Legacy Verified (LV) certificate. These certificates would allow legacy signature protocols, such as SHA-1, and only be issued to organizations that can confirm they properly only issue certs based on modern protocols to modern browsers while falling back for legacy browsers.

Finally, the organizations that provide SHA-1 fallback support should commit that if a vulnerability is discovered which allows some form of downgrade attack — where a modern browser can be tricked into receiving a certificate signed with an insecure protocol — and the vulnerability cannot be patched then they will withdraw fallback support. The CA/B Forum should make this a requirement of an organization being issued LV certificates.

CloudFlare has worked to ensure that we can continue to responsibly provide SHA-1 support for all our paid customers even after the new year. We believe this is critical for ensuring that we don't cut off the world's most vulnerable populations from access to encrypted content online. If you’re not a CloudFlare customer and you are worried about supporting legacy browsers, make sure you get yourself a SHA-1 certificate before the end of the year. After that, unless our proposal for LV certificates is adopted, if you want to enable encryption for all Internet users it will be too late.

December 23, 2015 Update

Twitter has indicated their backing for the proposal to create LV certs.

Tagged with TLS
comments powered by Disqus