Facebook has warned that an obscure algorithm poses a security danger to users of the platform in many countries because it is soon to be retired and the replacement will not work with older browsers.
SHA-1 will stop being supported by web browsing programs during next year. The newer version SHA-2 is not compatible with older programs used by millions of people across the world to browse the internet and to share information on social networks.
The social media giant pointed out that many of those at risk of becoming vulnerable to the security flaw already live in countries and regions when internet usage is closely monitored.
Facebook’s chief security officer Alex Stamos wrote: “We don’t think it’s right to cut tens of millions of people off from the benefits of the encrypted internet.”
Data gathered by Facebook points towards between 3% and 7% of all web browsers being too old to use the next generation SHA-2.
The systems are used as a guarantee of identity and to conceal what people do online. However, recently it has become easier for hackers to impersonate websites and spy on data because the cost of mounting such an attack has dropped dramatically.
The retirement of SHA-1 looks certain to hit those the hardest who need it the most. Security firm Cloudflare joined Facebook in highlighting the possible effects of the changeover by drawing up a list of the nations where older browser usage is most common.
Co-founder of Cloudflare Matthew Prince wrote in a blog post: “Unfortunately, this list largely overlaps with lists of the poorest, most repressive and most war-torn countries in the world.”
Call for changes
The two companies also joined together to issue a call for changes to be made in the way that web browsers handle SHA-1 after it has been retired. This could allow it to still be used for anyone working with a browser that can’t accept the new and updated version of the algorithm.
Of course, the majority of those going online will already be using modern browsers that will be able to handle the changeover to SHA-2 without noticing the difference.