NEWS ANALYSIS: Despite predictions of doom on the Internet, the transition to security certificates that enforce SHA-2 encryption will not immediately cut off Web access to anyone.
All of a sudden many Internet users and Internet access advocates are in an uproar about a predicted change that would suddenly render encrypted sites inaccessible.
Their fear was spread by a story on CBS
that said millions would be left in the cold, without access. This is, as you might expect from such a non-technical source, total hooey.
However, rest assured that you can sit back and enjoy your holiday celebrations and that when you get back to work on Jan. 4, 2016, the Internet will still work just fine, even if your New Year's hangover makes it hard to see your computer screen.
Here's what's really going to happen. After Jan. 1, encrypted Websites will eventually start using certificates that take advantage of the stronger encryption of SHA-2.
That's it. This means that as sites that use encryption update their certificates, those new certificates will use SHA-2, which stands for Secure Hashing Algorithm 2. The certificate is a piece of code that confirms that the site you're looking at is really the site that it claims to be. But this isn't going to happen instantly on Jan 1.
What happens on New Year's Day is that any new certificates will use SHA-2. However, encrypted sites renew those certificates only when they expire, and that can be any time over the next two years. In the meantime, they can continue to use SHA-1.
This is a big deal because it's possible that some older browsers might not work with SHA-2. This possibility was highlighted in the CBS story in one of the interviews where the person proclaimed that no mobile device over five years old would be able to access encrypted sites after Jan. 1. This is also hooey, although it does demonstrate the risk of believing the popular media when they try to cover technical issues.
What's really happening is that old iPhones, probably the only device the CBS interviewee was familiar with, may not be able to use their native version of Safari. But third-party browsers exist for these phones. And the population of people that the subsequent stories say they're concerned about, people in places outside of the United States and Western Europe, probably aren't spending their money on iPhones.
In fact, most of the world doesn't use smartphones, and where they do, the platform of choice is either Android or BlackBerry. Most of those platforms are capable of handling SHA-2. While mobile technology has transformed many economies, that transformation isn't based on Web browsing. It's based on technologies such as Short Message Service (SMS) texting and email, neither of which depend on SHA-2.
But that doesn't mean you don't need to pay any attention to the change—because you should.