Should you heed Facebook’s warning or not?
If a social network, who is holding millions of users’ data in its servers says that a critical web browser security algorithm is about to reach its expiry date, then it obviously means that things must be getting serious. According to Facebook, users who have yet to update the security of their browsers should act swiftly. The company states that during the year 2016, a number of major web browsers will stop supporting a key security algorithm called SHA-1.
SHA-2 is going to succeed SHA-1, however, it is not going to be supported on older web browsers. This should be more alarming to you than it actually sounds because when SHA-1 goes out of commission, there will be a time when users will be unable to update their web browsers to newer versions because their desktop, laptop or mobile machines will not be able to support the latest software.
Alex Stamos, Facebook’s chief security office is quite concerned about the issue because according to a source, he states the following:
“A disproportionate number of those people reside in developing countries, and the likely outcome in those countries will be a serious backslide in the deployment of HTTPS by governments, companies and NGOs that wish to reach their target populations.”
Facebook has predicted that in the near future, between 3 and 7 percent of all web browsers will be too obsolete to use SHA-2. SHA-1 offers several security measures over its predecessor. However, SHA-1 is omnipresent in developing and in third world countries, where individuals have limited to no knowledge about web security at all. Additional statistical data suggests that SHA-2 is supported by at least 98.31 percent of browsers worldwide, and the remaining 1.69 percent comprises up of 37 million people.
According to CloudFlare’s calculations, it would cost approximately $700,000 today to continue to generate SHA-1 collision. However, when the timeline reaches 2021, the expenditure figure would have dropped to about $43,000 since more and more regions would have started to adopt the SHA-2 security measure. Let us hope that Facebook and CloudFlare are able to roll out an effective campaign in which they are able to successfully convey the message to the public that SHA-1 is going to go out of commission very soon.