All of a sudden many Internet users and Internet access advocates are in an uproar about a predicted change that would suddenly render encrypted sites inaccessible.
Their fear was spread by a story on CBS that said millions would be left in the cold, without access. This is, as you might expect from such a non-technical source, total hooey.
However, rest assured that you can sit back and enjoy your holiday celebrations and that when you get back to work on Jan. 4, 2016, the Internet will still work just fine, even if your New Year’s hangover makes it hard to see your computer screen.
Here’s what’s really going to happen. After Jan. 1, encrypted Websites will eventually start using certificates that take advantage of the stronger encryption of SHA-2.
That’s it. This means that as sites that use encryption update their certificates, those new certificates will use SHA-2, which stands for Secure Hashing Algorithm 2. The certificate is a piece of code that confirms that the site you’re looking at is really the site that it claims to be. But this isn’t going to happen instantly on Jan 1.
What happens on New Year’s Day is that any new certificates will use SHA-2. However, encrypted sites renew those certificates only when they expire, and that can be any time over the next two years. In the meantime, they can continue to use SHA-1.
This is a big deal because it’s possible that some older browsers might not work with SHA-2. This possibility was highlighted in the CBS story in one of the interviews where the person proclaimed that no mobile device over five years old would be able to access encrypted sites after Jan. 1. This is also hooey, although it does demonstrate the risk of believing the popular media when they try to cover technical issues.
What’s really happening is that old iPhones, probably the only device the CBS interviewee was familiar with, may not be able to use their native version of Safari. But third-party browsers exist for these phones. And the population of people that the subsequent stories say they’re concerned about, people in places outside of the United States and Western Europe, probably aren’t spending their money on iPhones.
In fact, most of the world doesn’t use smartphones, and where they do, the platform of choice is either Android or BlackBerry. Most of those platforms are capable of handling SHA-2. While mobile technology has transformed many economies, that transformation isn’t based on Web browsing. It’s based on technologies such as Short Message Service (SMS) texting and email, neither of which depend on SHA-2.
But that doesn’t mean you don’t need to pay any attention to the change—because you should.
The Internet Will Keep Working After Jan. 1, No Matter What CBS Says
Your Internet presence will need to transition to SHA-2 sometime in the next two years if you encrypt your Web pages. If you don’t use encryption, then it won’t matter to you.
Normally, your certificate provider will also provide the updated SHA-2, in much the same way as Symantec is responding to the change. Once you’ve updated your certificate, then your Website will only work with browsers that accept SHA-2. Fortunately, the commonly available browsers already accept SHA-2 certificates, and they have for a while. The chances are very slim that you will notice that the change has happened.
In other parts of the world where bandwidth is harder to come by, this may require some effort, but even older phone browsers should work. After all, SHA-2 has been around since 2001. This may require changes on the part of those who work supporting people in developing areas.
Mark Kaplan, CEO of Tone, a company that partners with providers and government entities to bring Internet access to developing areas, worries that the change might come too fast for some to adapt. He said that many of the larger companies on the Internet don’t seem to believe that there are poor people in the United States and elsewhere that use basic mobile devices and need access. “Looking at it from a usability standpoint, how can they get engaged?”
The concern from Kaplan is that the users he works with don’t have sufficient computer literacy to know how to make sure their systems are upgraded to handle the new standard. While Kaplan agrees that users will need to make adjustments, he hopes that there will be some means of accommodating these people. There needs to be “consideration for the end user,” he said.
But there’s more to the issue of certificate security than just the ability to update a browser. “This is a tradeoff between usability and security,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “Older devices are already vulnerable,” he explained. “They’re not going to be more insecure” than they are now. Erlin suggests that Website operators may not want to connect to devices that can’t support SHA-2 because their sites are too insecure.
The complexity of the security problem is going to increase for Website operators. For example, Google will start blocking some SHA-1 certificates in 2016. Microsoft and Mozilla may start flagging SHA-1 Websites as being insecure. Clearly, the change is in the works, but that doesn’t mean it’s happening tomorrow, or even very soon.
One of the things to remember about the Internet is that it’s global in scope without any real centralized control. While SHA-2 will go into effect eventually, that will not happen immediately in most cases. After all, if the Internet was capable of immediate change, we’d all be using IPv6 right now, but we’re not.