You are using an older browser version. Please use a supported version for the best MSN experience.

Is your phone’s browser going to stop working on 1 January?

Alphr logo Alphr 24-12-2015 Ian Betteridge
Is your phone’s browser going to stop working on 1st January?© Is your phone’s browser going to stop working on 1st January?

Many users barely notice that a little green lock sometimes appears in their browser’s address bar. And it’s exactly this kind of user who is most at risk of losing the ability to browse the web from their phones at the start of 2016.

That’s the date when SHA-1 – a hashing algorithm used to sign web security certificates – will no longer be accepted by modern browsers, meaning that most sites (including all the big ones) have already moved to using its replacement, SHA-2.

However, there’s a catch: SHA-2 isn’t supported by old browsers, mostly on older mobile phones. According to Facebook, between 3 and 7% of currently in-use browsers don’t support SHA-256, which means that, as of the beginning of the year, a big chunk of the secure internet will simply stop responding to them.

And this issue disproportionately affects the developing world, which, as Facebook points out, means that fewer governments and organisations will have the ability to deploy HTTPS if they still want to reach their target populations.

To try and ensure this doesn’t happen, CloudFlare, supported by Facebook, is proposing the creation of “a new type of Legacy Verified certificate that should only be issued to organisations that have demonstrated they are offering SHA-256 certificates to modern browsers”. This would allow sites that needed to continue to support older browsers to do so, while also ensuring that modern browsers aren’t subject to the security hazards inherent in continuing to have to accept SHA-1.

Not everyone agrees that this is a good solution. Ryan Sleevi, who works on the Chromium's cross-platform crypto core, posted a series of tweets explaining why it was a bad idea:

Ranty Twitter time: Problems I have with the @CloudFlare / @alexstamos proposal:1) Ignores the big elephant in the room (Android & Updates)

— Ryan Sleevi (@sleevi_) December 9, 2015

2) Attempts to subsidize access (costs go from client re: upgrades to server re: getting LV) and sacrifice security, favouring big players.

— Ryan Sleevi (@sleevi_) December 9, 2015

3) Both players 'call' on the CA/B Forum to act, but both know full well how to submit their feedback to the Forum and participate on sln

— Ryan Sleevi (@sleevi_) December 9, 2015

4) Uncharitably pose it as a "Silicon Valley elite vs the oppressed underdog" narrative when the at-risk population of SHA1 IS the oppressed

— Ryan Sleevi (@sleevi_) December 9, 2015

5) Fails to offer the role that these LV sites can have or play into making a more secure and accessible internet for everyone.

— Ryan Sleevi (@sleevi_) December 9, 2015

Sure, this doesn't help for cases like secondhand feature phones, but IE on XP RTM? Hell yes, it can make a difference! *cough* China

— Ryan Sleevi (@sleevi_) December 9, 2015

So will it affect you? If your phone is more than five years old and hasn’t been updated, it could. You can test to see what protocols your browser supports at this site – look for “Protocol details”, and if it supports SHA256/RSA, you should be okay. If it only supports SHA1/RSA, you’re likely to have problems.

Image by Kevin on Flickr

More from Alphr

image beaconimage beaconimage beacon