Facebook today announced its plans to drop support for the SHA-1 cryptographic hash algorithm in apps and sites that connect to its service. The encryption requirement upgrade will go into effect starting on October 1, 2015.
Browsers and websites encrypt traffic to protect the contents of online communications using a hash function. A unique fingerprint is created for each chunk of data and is digitally signed to prove that a message has not been altered or tampered with when it passes through various servers.
When the Certificate Authority and Browser Forum published their Baseline Requirements for SSL in 2011, SHA-1 was essentially deprecated. They identified security weaknesses in SHA-1 and recommended that all certificate authorities transition away from SHA-1 based signatures, with a full sunset date of January 1, 2016.
Facebook is merely helping push the stragglers along; its servers will simply stop accepting SHA-1 based connections sooner than that cutoff. In four months, apps and sites that don’t use SHA-2 certificate signatures will no longer be able to connect to Facebook.
Developers should thus check their applications, SDKs, and devices that connect to Facebook to ensure they support the SHA-2 standard. If your app already supports SHA-2, then there’s no need to worry about it breaking on October 1.
In September, Google announced plans to sunset SHA-1 in Chrome. The company has been working towards that goal, and as of Chrome 41, the browser treats certificate chains using SHA-1 that are valid past January 1, 2017 as “affirmatively insecure.”
SHA-1, designed in 2005, is widely considered too weak for proper security measures. Google and Facebook are taking the proactive approach in order to protect their users from attacks that are only getting cheaper and cheaper. While this might be seen as a short-term pain for developers, it’s better for all in the long-term.
Update on October 2: Developers need more time, so Facebook has pushed back the deadline to October 31.