
As sites move to SHA2 encryption, millions face HTTPS lock-out - JoachimS
http://www.zdnet.com/article/as-sha1-winds-down-sha2-leap-will-leave-millions-stranded/?linkId=18208342
======
eastdakota
At CloudFlare, our solution to this problem for our customers is to
automatically support SHA2 for modern browsers and fall back to SHA1 for
legacy browsers that don't support SHA2. This is in place for most paying
customers already. It will be complete for all paying customer by the end of
the week.

For free customers using our Universal SSL solution, only modern browsers are
supported so it has only used SHA2 certificates since it launched over a year
ago.

The danger is that after December 31, 2015 we may no longer be able to get
SHA1 certificates for new customers because CAs have been told by browser
vendors to no longer issue them. While that won't cause a problem for modern
browsers, for legacy browsers that can't be upgraded it will mean they will
not be able to access the encrypted web. Unfortunately, that
disproportionately affects regions of the world where censorship risk is high.
In Iran, China, and parts of Africa with more restrictive governments, legacy
browser traffic is as high as 30%.

If providers like CloudFlare who can safely support SHA1 certificates only for
legacy browsers, while supporting SHA2 for modern browsers, cannot continue to
get SHA1 certificates then we risk cutting off a substantial portion of the
most vulnerable Internet users from the encrypted web. That is a bad outcome.

We will be talking more about this on our blog in the coming weeks and plan to
open source the TLS handshake fingerprinting logic we're using to identify
what browsers only support SHA1. I'm hopeful that the browser vendors and CAs
will do the appropriate thing by requiring modern browsers to only support
modern hashing algorithms but allow providers like us to continue to support
the best available cryptography for those users who cannot upgrade to the
latest browser tech.

~~~
DanielDent
(A) A significant percentage of users with legacy browsers _could_ upgrade (by
installing Chrome or Firefox, instead of relying on a woefully out of date
bundled browser). If much of the internet stops working for them, I imagine
knowledge of how to get it working again will spread pretty quickly.

(B) It seems incredibly difficult (impossible?) to support graceful downgrade
to older insecure approaches to TLS without also introducing the opportunity
for a downgrade attack.

Many of the TLS attacks we've witnessed over the last few years seem to be the
direct result of bending over backwards to maintain backwards compatibility.
I'm unconvinced it can be done safely.

~~~
ploxiln
Amusingly, these users may not be able to download modern browsers from the
official websites, which will of course be only available over TLS for obvious
security reasons ...

~~~
biot
You mean as the article explicitly points out with "Mozilla's one million
downloads mistake"? I'm not sure how that could be considered amusing.

~~~
ploxiln
Unintended consequences. Unfortunate. But after you've seen enough of them,
funny as well.

------
MichaelApproved
Can someone please explain why this encryption limitation is OS level and not
application level? XP can't handle new encryption but why can't Firefox/Chrome
on XP handle it? Why can't they include their own updated encryption code
within their browser?

~~~
pilif
They can and they do. Mozilla uses NSS, Chrome their own OpenSSL fork
(BoringSSL). This only really affects IE and other applications which don't
have to be actual browsers.

This mess also affects me greatly because I have around 2k Windows Mobile 6
based barcode scanners around which use SSL. Their HTTP client is just using
the OS provided APIs.

Now we're going to have to use a self-signed cert and update the application
to accept that pinned cert

~~~
userbinator
One solution is to use a proxy. I run a filtering proxy, and force all HTTP
and HTTPS traffic through it. It can be upgraded easily since it uses the
standard OpenSSL DLLs.

Courtesy of that, this comment has been posted to HN with TLSv1.2 ECDHE-RSA-
AES128-GCM-SHA256, from a client that only supports TLS 1.0 and nothing beyond
RC4-MD5. (It's actually configured to ask for ECDHE-RSA-AES256-GCM-SHA384
first, which is probably overkill, so I don't see many servers that choose
it.)

~~~
pilif
That's another very good idea I'm going to look into, though I'm a bit weary
of dealing with writing and/or finding and compiling a proxy server for a
version of Windows CE that's now 4 years out of support.

------
madaxe_again
Nobody seems to have yet picked up on tls 1.0 becoming obsolete next June for
PCI purposes - about 20% of Web users can't do better without an OS upgrade -
IE on xp, older android, etc. We've been measuring this for about a year and
it was 24% this time last year.

Can't see that percentage dropping all that much before then, and clients
won't be blaming users' poor practices or the pci council - it'll be the fault
of Web developers, everywhere.

~~~
michaelt

      20% of Web users can't do better without an
      OS upgrade - IE on xp
    

XP users don't need an OS upgrade - they just need to switch to Firefox or
Chrome.

~~~
Zachery
Chrome is already dropping XP support in just a month or two. While Firefox is
not going to change in the short term, its really not a great idea to stay on
XP if you have a way out.

~~~
Dylan16807
Still, even if they dropped support today, the current version is a huge
improvement over an IE that hasn't been updated in most of a decade.

------
mtgx
They've had plenty of warning. We've already seen that SHA1 could soon be
cracked by relatively cheap computing power. Also, this is essentially saying
that 3rd party companies should continue to support Windows XP, which is
silly, considering even Microsoft stopped (officially) supporting it a while
ago.

------
theandrewbailey
SHA256 software compatibility:
[https://support.globalsign.com/customer/portal/articles/1499...](https://support.globalsign.com/customer/portal/articles/1499561-sha-256-compatibility)

------
hsivonen
Sadly, XP users who should be installing Firefox or Linux or Nokia users who
should be installing Opera Mini don't read tech news. Is anyone trying to
inform them ahead of time?

~~~
eastdakota
Worse than that. As the migration to SHA2 is forced, even if they want to
upgrade they won't be able to because they won't be able to securely download
executables for modern browsers.

Catch-22

~~~
hsivonen
Hence, "ahead of time".

------
xenophonf
It's a damn shame that X.509v3 doesn't support multiple signatures on a single
certificate. That would really ease the transition to new signing algorithms.
I can't really fault the CAs or browser developers here because X.509 doesn't
facilitate forwards compatibility.

------
2bluesc
Everyone is talking about personal computers and mobile devices. Not
mentioned: the IoT movement with devices in the field with minimal
capabilities and no path for upgrade.

Older version of devices like TI's CC3200 (which appears to support SHA2 in
hardware at least) will be forced offline without an upgrade (and in many
cases I assume SW implementation of missing HW algos)

It's ironic: device developers tried to be forward looking with TLS security
only to stumble over it later. I'm sure the subset of decisions makers that
are clueless will blame security for crippling their systems. Now security is
evil to the ignorant.

tl;dr; Plan for upgradability with embedded hardware products

------
conorpp
No, it's not SHA2 encryption. SHA2 is a hashing function, meaning it's one
way. Encryption is two way or else it wouldn't work. People often confuse the
two but they are quite different.

------
nefitty
Does anyone have any sense of who or what groups would benefit from dropping
$75k on developing an attack that might not even return any results? I've
heard a bit about the underground Russian scene. Those guys are smart and
their leaders are motivated and loaded.

------
ck2
only Windows XP SP2 IE8/7 and Android 2.2 are affected

Even I use Windows XP sp3 (and firefox/chrome anyway, not native IE)

No idea what percent of Android 2 users are out there but even I dumped my
last 2.2 phone recently - kitkat 4 is so much better

~~~
iSnow
[http://www.statista.com/statistics/271774/share-of-
android-p...](http://www.statista.com/statistics/271774/share-of-android-
platforms-on-mobile-devices-with-android-os/)

0.2%. Don't know if locking them out is really a problem.

~~~
ck2
when I see numbers that low I start thinking it is bots spoofing user agents
based on old code

just like you still see IE6/7 user agents sometimes

however the millions of vulnerable kitkat install over the next decade is
alarming

------
borplk
XP is 14 years old, I don't care what bullshit excuses you have. It's your
problem now and the world is not going to wait for you. Sick and tired of
people offloading responsibility to the rest of the world because they can't
be bothered to spend the time and resources to catch up with time.

~~~
Someone1234
Windows XP actually supports it, you just need SP3 installed (released in
2008). Android 2.2x (and below) is the biggest group of incompatible users,
many XP users will be fine.

And before someone says "Android 2.2 users can just install custom ROMs!!!"
keep in mind that a lot of unbranded or no-name handsets exist in other parts
of the world, without a big enough community to create and maintain customs
ROMs.

A lot of devices are legitimately stuck on 2.2 or 2.1.

