Update: Sunsetting SHA-1 and the Impact of User Blocking
With the upcoming sunset of the SHA-1 cryptographic hash function, there has been some concern about cutting off users from access to the benefits of the web. It should be noted that the number of internet users who will be affected is an exceedingly small number – despite assertions like the following from Cloudflare CEO Matthew Prince, “That’s the equivalent of the population of California not having access to encryption unless they upgrade their devices. As SHA-2-only sites proliferate, if these users on SHA-1-only browsers try and access an encrypted site, they’ll see an error page that completely blocks their access.”
Those impacted are almost exclusively in developing countries with primary access only via mobile device, something which should calm most eCommerce and content sites on the Internet. While Facebook and others have expressed concern about the number of users affected, as well as provided some solutions for those who may have users who would be impacted, the target audience for every site needs to be taken into account to judge the appropriateness of providing an access portal for an increasingly small subsection of users. To put this in perspective, any user with access to a computer will have access to either an updated browser or the ability to upgrade their operating system to something that can support SHA-2, the latest update of the SHA cryptographic hash function. Firefox and Chrome are both free cross-platform browsers that work on all major desktop environments including Windows, OSX, and Linux as well as both iOS and Android.
This discussion is fundamentally one of risk versus outcome. Companies such as Facebook or Cloudflare gain financially the more users that have or require access to their platforms. For them the business model requires a larger level of user inclusion; however, the average eCommerce site puts itself at a security and financial disadvantage in maintaining compatibility with SHA-1. The increased infrastructure required to support the compatibility, of course, costs more, while also presenting a larger surface area for security breaches and suffering penalties in PCI Compliance.
Yottaa implemented SHA-256, a variant of SHA-2, for all certificates and all our certificates have been updated, except one which will be retired before March 2016.
You can see a full list of minimum operating systems capable of supporting SHA-2 here: https://support.globalsign.
For a list of rollouts of SHA-1 sunsetting by platform see the following link:
https://support.globalsign.
