The Internet Will Keep Working After Jan. 1, No Matter What CBS Says

By Wayne Rash  |  Posted 2015-12-22 Print this article Print
SHA-2 Certificates

Your Internet presence will need to transition to SHA-2 sometime in the next two years if you encrypt your Web pages. If you don't use encryption, then it won't matter to you.

Normally, your certificate provider will also provide the updated SHA-2, in much the same way as Symantec is responding to the change. Once you've updated your certificate, then your Website will only work with browsers that accept SHA-2. Fortunately, the commonly available browsers already accept SHA-2 certificates, and they have for a while. The chances are very slim that you will notice that the change has happened.

In other parts of the world where bandwidth is harder to come by, this may require some effort, but even older phone browsers should work. After all, SHA-2 has been around since 2001. This may require changes on the part of those who work supporting people in developing areas.

Mark Kaplan, CEO of Tone, a company that partners with providers and government entities to bring Internet access to developing areas, worries that the change might come too fast for some to adapt. He said that many of the larger companies on the Internet don't seem to believe that there are poor people in the United States and elsewhere that use basic mobile devices and need access. "Looking at it from a usability standpoint, how can they get engaged?"

The concern from Kaplan is that the users he works with don't have sufficient computer literacy to know how to make sure their systems are upgraded to handle the new standard. While Kaplan agrees that users will need to make adjustments, he hopes that there will be some means of accommodating these people. There needs to be "consideration for the end user," he said.

But there's more to the issue of certificate security than just the ability to update a browser. "This is a tradeoff between usability and security," said Tim Erlin, director of IT security and risk strategy for Tripwire. "Older devices are already vulnerable," he explained. "They're not going to be more insecure" than they are now. Erlin suggests that Website operators may not want to connect to devices that can't support SHA-2 because their sites are too insecure.

The complexity of the security problem is going to increase for Website operators. For example, Google will start blocking some SHA-1 certificates in 2016. Microsoft and Mozilla may start flagging SHA-1 Websites as being insecure. Clearly, the change is in the works, but that doesn't mean it's happening tomorrow, or even very soon.

One of the things to remember about the Internet is that it's global in scope without any real centralized control. While SHA-2 will go into effect eventually, that will not happen immediately in most cases. After all, if the Internet was capable of immediate change, we'd all be using IPv6 right now, but we're not.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel