Why up to 37 million will have restricted Internet access starting next week
Why millions will have restricted Internet access
starting next week
By Anita Balakrishnan
1 Hour Ago CNBC.com
Internet surfers may take that little green or gold lock
in the corner of their Web browser for granted. But starting Jan. 1, 2016, it
might go away for a small percentage of people across the globe, and millions
of users could lose access to websites because of it.
It's all to do with the "SHA-1 Sunset," a
phrase used by technology insiders to describe the expiration of support for a
certain level of encryption. Over the next year, the algorithms older than
SHA-1 level of encryption will no longer meet the trusted level of security for
many websites, leaving as many as 37 million people unable to access them,
according to research from Internet performance and security company
CloudFlare.
It's a routine update to a Web feature called the
certificate signature hashing algorithm. But the change, decided by a
consortium of vendors of Internet browser software, could disproportionately
affect mobile devices in the developing world.
As a result, some of the world's most vulnerable
population will be left with only the selection of websites they can view
without the needed safety protocols.
Here's how it works, according Tim Erlin, director of IT
security and risk strategy at Tripwire.
When your website connects to a browser, each sends and
receives data. During the encryption process, the website and browser enter
into a "conversation," to use a metaphor. When they do so, they
negotiate a secret, secure code to "speak" in, that's different for
every conversation.
Part of the negotiation between the browser and website
is to agree to use the most complex language that both parties can understand,
Erlin said.
"Hackers break that algorithm," Erlin said.
"Once its broken, it becomes much easier for a criminal to overhear your
conversations. There should always be a plan to upgrade the algorithm because
people are always looking to break it."
Luckily, most people are protected from these types of
hackers without any action on their part, since many websites and browsers
default to encrypted versions, signified by the "s" in
"https://." Indeed, if you're using an up-to-date browser, you probably
were automatically upgraded to at least SHA-2 level algorithms, Erlin said.
Impact on the developing world
But older operating systems and browsers, such as Windows
XP, may no longer support updates to newer encryption levels, said Erlin. And
more encryption requires more processing power, leaving older mobile devices,
mostly used in developing countries, too jammed up to handle secure browsing.
That may leave users with phones older than five years
with an error message when they try to access sites that don't offer
un-encrypted versions — a decision that varies for each individual site, Erlin
said.
SHA-2 support in Western Europe and North America is
universally more than 99 percent, according to new CloudFlare research. But
closer to 5 percent of Internet users in countries like China, Cameroon, Yemen,
Sudan, Egypt and Libya user browsers without SHA-2 support.
"When you trade in your cellphone in a country like
United States, those cellphones make their way to the developing world,"
Matthew Prince, co-founder of CloudFlare, told CNBC's "Squawk Alley"
on Monday. "And those phones are ending up in the hands of people who now
won't be able to access parts of the encrypted Internet."
Worldwide, a population roughly the size of California
doesn't have the needed support, CloudFlare estimates.
"Unfortunately, this list largely overlaps with
lists of the poorest, most repressive, and most war-torn countries in the
world," CloudFlare wrote. "In other words, after Dec. 31, most of the
encrypted Web will be cut off from the most vulnerable populations of Internet
users who need encryption the most. And, unfortunately, if we're going to bring
the next 2 billion Internet users online, a lot of them are going to be doing
so on secondhand Android phones, so this problem isn't going away anytime
soon."
Debate among technology companies
Because SHA-2 support is more limited than during
previous certificate signature hashing algorithm upgrades, technology companies
have been forced to debate an "appropriate balance between two desirable
goals ... making systems secure against new attacks and providing security to
the broadest population," wrote Facebook's chief security officer, Alex
Stamos, in a blog post.
Google has been the most aggressive at turning off the
old encryption support. Alibaba, on the other hand, has made sure its sites
fall back to support the older versions of encryption technology, Prince said.
"We will continue to have to deprecate older
standards, and move to new standards as computers get faster over the next few
years," Prince said. "You'll see some of these users with the older
phones having a new incentive to go and upgrade. But obviously, in places like
Syria, where over 4 percent of users will suddenly lose access to encryption,
they're not going to be running down to their AT&T store to get new phones."
While Facebook sees the need for the upgrade, Stamos
expressed doubts for the way the changeover is being carried out. But he
acknowledged many well-meaning people disagree with Facebook's proposed
workaround: a new type of legacy certificate.
"We don't think it's right to cut tens of millions
of people off from the benefits of the encrypted Internet, particularly because
of the continued usage of devices that are known to be incompatible with
SHA-256," Stamos wrote. "Many of these older devices are being used
in developing countries by people who are new to the Internet. ... We should be
investing in privacy and security solutions for these people, not making it
harder for them to use the Internet safely."
Comments
Post a Comment