Facebook will drop support for weak SHA-1 encryption in apps and sites on October 1

facebook_logo_tall


Twisted Agile: We’re taking elements Agile dev and shaking it up with savvy best practices for better, faster outcomes. Sign up for our free webinar on June 11 at 10 a.m. PST/11 p.m. EST.

Facebook today announced its plans to drop support for the SHA-1 cryptographic hash algorithm in apps and sites that connect to its service. The encryption requirement upgrade will go into effect starting on October 1, 2015.

Browsers and websites encrypt traffic to protect the contents of online communications using a hash function to create a unique fingerprint for each chunk of data. This fingerprint is digitally signed to prove that a message has not been altered or tampered with when it passes through various servers.

When the Certificate Authority and Browser Forum published their Baseline Requirements for SSL in 2011, SHA-1 was essentially deprecated. They had identified security weaknesses in SHA-1, and recommended that all certificate authorities transition away from SHA-1 based signatures, with a full sunset date of January 1, 2016.

Facebook is merely helping push the stragglers along; its servers will simply stop accepting SHA-1 based connections sooner. In four months, apps and sites that don’t use SHA-2 certificate signatures will no longer be able to connect to Facebook.

Developers should thus check their applications, SDKs, and devices that connect to Facebook to ensure they support the SHA-2 standard. If your app already supports SHA-2, then there’s no need to worry about it breaking on October 1.

In September, Google announced plans to sunset SHA-1 in Chrome. The company has been working towards that goal, and as of Chrome 41, the browser treats certificate chains using SHA-1 that are valid past January 1, 2017 as “affirmatively insecure.”

SHA-1 was designed in 2005, and is widely considered too weak for proper security measures. Google and Facebook are taking the proactive approach in order to protect their users from attacks that are only getting cheaper and cheaper.

More information:

Powered by VBProfiles


VentureBeat’s VB Insight team is studying marketing and personalization… Chime in here, and we’ll share the results.
More information:

Powered by VBProfiles



Leave a Reply

Your email address will not be published. Required fields are marked *