Sign in / up

back to article Facebook wants a kinder, gentler end for SHA-1

Facebook has broken ranks with the world's major browser vendors, asking that the ancient SHA-1 has algorithm go out with a whimper rather than a bang. As has been predicted for some years, computing power has long since caught up with SHA-1, and today's best practice is to replace it with SHA-256. Microsoft, Mozilla and …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Voland's right hand Silver badge

    The joy of having to support all those Nokia 40 family phones

    Well, that is what happens when you infest every single non-upgradeable and non-updateable feature phone in the world with your app. You get the backwards compatibility scenario from hell.

    In the meantime, we can fetch some popcorn, sit back, relax and enjoy the show.

    4 1 Reply
    1. Dan 55 Silver badge
      Reply Icon

      Re: The joy of having to support all those Nokia 40 family phones

      I'm sure there's still a lot of XP SP0/1/2 out there too. Or earlier still.

      0 2 Reply
      1. Dan 55 Silver badge
        Reply Icon
        WTF?

        Re: The joy of having to support all those Nokia 40 family phones

        Downvoted because downvoter doesn't realise that XP lower than SP3 doesn't do SHA-256 and there's a whole lot of world out there where XP SP0/1/2 is considered good enough?

        1 0 Reply
  2. Paul Crawford Silver badge

    Of course this is not helped by the muppets at Google & Firefox, etc, dropping support for web browsers on the likes of XP even though a significant number of folk still rely on it.

    For the technically competent there is always Linux for safely browsing using old machines, but that is hardly a solution for the majority who don't even grasp what an operating system is, let alone that it can be replaced on existing hardware.

    2 1 Reply
    1. BinkyTheMagicPaperclip Silver badge
      Reply Icon

      Muppets? You mean sensible companies. XP is completely unsupported for anything other than embedded users, and soon that will cease too.

      XP was released in 2001 and people are complaining about support! The line has to be drawn somewhere. Whinge about Apple, instead, where the hardware is substantially more expensive than a PC, and the operating systems only supported for a few years.

      5 2 Reply
      1. Tomato42
        Reply Icon
        FAIL

        @BinkyTheMagicPaperclip: not to mention that the depreciation of SHA-1 impacts only Windows XP SP2 and older. Windows XP SP3 is just fine. So that's the problem not to people that run old software. It's a problem for people that run old software and never updated it.

        Kill SHA-1, lets show that the industry can learn from its mistakes.

        4 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          @Tomato42: I supported a very expensive system used in a particular industry. Some geniuses coded it such that it was totally borked by Windows updates. These systems also had to have some form of network access to allow remote administration/assistance...

          If you're paying attention, that's expensive, mission-critical hardware accessible to the internet running Win XP with updates turned off.

          On the bright side, none of those machines should be browsing the net, anyway. (Most IT departments at remote sites were absolutely paranoid about locking everything down around them and securing our route in even without knowing about the no-update issue.)

          1 0 Reply
        2. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Tomato42: Sorry but knowing about SP3 for Windows XP and being able to download it can be difficult to impossible in the lesser developed countries. It's why, if you pay attention to such things, that you see individual and preinstalled updates listed on torrent sites, especially FLOSS, not just the pirated works. And that's completely ignoring caps.

          Legacy exists for numerous reasons, especially the political-economy factors. Y'all need to spend some quality time with conditions that most of this world's citizens live with.

          1 0 Reply
      2. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Yes and No

        I agree with you about XP it is time for it to die (for systems/devices connected to the Internet)

        As for Apple, remember that their OS upgrades are free. My 2008 MacBook runs the latest version of OSX. But you can ignore them if you want.

        Apple are not the worst offenders by a long chalk. Just turn your attention to the Android world. How many million phones are being used every day that have not have any form of update for a year?

        3 0 Reply
        1. BinkyTheMagicPaperclip Silver badge
          Reply Icon

          Re: Yes and No

          Even with free operating systems, Apple can be sub par depending on which model is bought, although free upgrades is a recent development.

          PC wise Vista SP1 (actually usable) was released February 2008, and is supported till 2017, so worst case is nine years of support. An older XP box would receive around 6.5-7 years of support (2007 to April 2014). If you're pedantic and insist Vista was usable out of the door (hoho), that's eleven years.

          Looking at 2007 Macs, the August iMacs are still supported. However, anything else that year is stuck on Lion, so that's seven years of support (last patch date, about September 2014) and then the system is junk. Practically any Vista capable PC is capable of running later versions of Windows (yes, chargeable, but cheaper than a new computer).

          Absolutely no argument with Android, the situation is disgraceful. If you buy an Android phone that isn't rootable, you are a fool, or should prepare to throw it away in 18 months. If you're lucky, the limit is four years, judging from the Google and Samsung stagefright patches.

          3 0 Reply
          1. Boothy
            Reply Icon

            Re: Yes and No

            Quote: " If you buy an Android phone that isn't rootable,..."

            Or buy a Nexus device.

            But otherwise, I think 'disgraceful' is an apt word to describe updating from many vendors.

            I've got an LG Gpad tablet(v500), it's just over a year old, and still on 4.4 This despite a Google Play Edition of the same device, getting 5.1 back in April. :-/

            Come on LG, extract finger and release 5.1 for the v500s! (or better yet, 6.0.1 which popped up OTA on my 2 year old Nexus 5 yesterday).

            1 0 Reply
            1. BinkyTheMagicPaperclip Silver badge
              Reply Icon

              Re: Yes and No

              I specifically didn't say 'Nexus device' because the Galaxy Nexus and older appears not to have been patched for Stagefright. Course, at least it's rootable.

              2 0 Reply
    2. Dan 55 Silver badge
      Reply Icon

      Firefox still works with XP SP2 and SP3. Whether its memory requirements let it work with the average XP SP2 or SP3 machine is another question...

      3 1 Reply
  3. Adam 1

    > He says Facebook has been experimenting with a graceful fallback, so that if a user agent can't cope with SHA-256 it can still connect

    Great work guys! I can't imagine anything wrong with your graceful fallback suggestion.

    2 0 Reply
  4. xj650t
    Coat

    Oh think

    Of all the adverts people with browsers that don't support SHA256 won't be able to see.

    2 0 Reply
  5. Anonymous Coward
    Anonymous Coward

    “We should be investing in privacy"

    So, he'll be suggesting they shut down facebork?

    1 0 Reply
  6. dotdavid

    “We should be investing in privacy and security solutions for these people, not making it harder for them to use the Internet safely”

    How does letting them continue to use an old easily-exploitable cypher help them use the internet safely?

    0 0 Reply
  7. nijam Silver badge

    > ... harm users in developing countries

    Hmmm... what would really harm users in developing countries is being dragged into the mess that is facebook.

    1 0 Reply
  8. JEF_UK

    Poodle-like down-grade attack?

    Poodle-like down-grade attack?

    Could this approach allow for a MITM to "interfere"* with the HTTP header and pretend to be a lesser browser?

    Force the client to a less secure encryption that could be broken?

    * ala I.P. bill

    2 0 Reply
    1. NotBob
      Reply Icon

      Re: Poodle-like down-grade attack?

      In theory, we could help mitigate that possibility by having modern browsers insist on the more secure, as the server should never have to run in the older method.

      Tinfoil hats will quickly see some problems this doesn't address

      1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like