SHA1 is a cryptographic hashing algorithm the Internet has relied on for quite some time. As things tend to go in the technology field, the old workhorse is showing its age. Attacks against it are quickly becoming more feasible so it needs to be put out to pasture.
Because of this certificates issued after 2016 will use SHA256. Although all modern browsers support SHA256 older browsers do not. Unfortunately this has convinced Facebook and CloudFlare to create a jerry rigged process to allow people running out of date browsers to access their services:
Facebook said as many as seven percent of the world’s browsers are unable to support the SHA256 function that serves as the new minimum requirement starting at the beginning of 2016. That translates into tens of millions of end users, and a disproportionate number of them are from developing countries still struggling to get online or protect themselves against repressive governments. CloudFlare, meanwhile, estimated that more than 37 million people won’t be able to access encrypted sites that rely on certificates signed with the new algorithm.
Both companies went on to unveil a controversial fallback mechanism that uses SHA1-based certificates to deliver HTTPS-encrypted webpages to people who still rely on outdated browsers. The remaining, much larger percentage of end users with modern browsers would be served HTTPS pages secured with SHA256 or an even stronger function. The mechanisms, which both companies are making available as open-source software, will allow websites to provide weaker HTTPS protection to older browsers while giving newer ones the added benefits of SHA256. Facebook is deploying the plan on most or all of the sites it operates, while CloudFlare will enable it by default for all of its customers. CloudFlare said other sites, including those run by Chinese portal Alibaba, are also implementing it.
I’m of the opinion that there needs to be a cutoff date for software. That is to say there needs to be a date where people agree that supporting it is no longer happening. After that cutoff date anybody who refuses to upgrade will just have to suffer the consequences. The reason I believe this is because continuing to support legacy software puts both users and service providers at risk.
Just this year we were all bitten in the ass by legacy support. The FREAK and Logjam exploits were the result of continued support for the old export grade cryptographic algorithms once mandated under United States law. Both exploits allowed downgrading the encryption algorithms used by clients and servers to communicate securely with one another. By downgrading the algorithms being use the communications, although encrypted, could be feasible broken.
By supporting older browsers Facebook and CloudFlare are giving users another excuse to continue using vulnerable software instead of finally upgrading to something safe. In addition to not supporting effective cryptographic algorithms, out of date browsers also contain numerous unpatched security holes that are actively exploited. Using out of date browsers is unsafe and shouldn’t be encouraged in my opinion.