Martes, Hunyo 2, 2015

Facebook will drop support for weak SHA-1 encryption in apps and sites on October 1

facebook_logo_tall
Twisted Agile: We're taking elements Agile dev and shaking it up with savvy best practices for better, faster outcomes. Sign up for our free webinar on June 11 at 10 a.m. PST/11 p.m. EST.

Facebook today announced its plans to drop support for the SHA-1 cryptographic hash algorithm in apps and sites that connect to its service. The encryption requirement upgrade will go into effect starting on October 1, 2015.

Browsers and websites encrypt traffic to protect the contents of online communications using a hash function. A unique fingerprint is created for each chunk of data and is digitally signed to prove that a message has not been altered or tampered with when it passes through various servers.

When the Certificate Authority and Browser Forum published their Baseline Requirements for SSL in 2011, SHA-1 was essentially deprecated. They identified security weaknesses in SHA-1 and recommended that all certificate authorities transition away from SHA-1 based signatures, with a full sunset date of January 1, 2016.

Facebook is merely helping push the stragglers along; its servers will simply stop accepting SHA-1 based connections sooner than that cutoff. In four months, apps and sites that don’t use SHA-2 certificate signatures will no longer be able to connect to Facebook.

Developers should thus check their applications, SDKs, and devices that connect to Facebook to ensure they support the SHA-2 standard. If your app already supports SHA-2, then there’s no need to worry about it breaking on October 1.

In September, Google announced plans to sunset SHA-1 in Chrome. The company has been working towards that goal, and as of Chrome 41, the browser treats certificate chains using SHA-1 that are valid past January 1, 2017 as “affirmatively insecure.”

SHA-1, designed in 2005, is widely considered too weak for proper security measures. Google and Facebook are taking the proactive approach in order to protect their users from attacks that are only getting cheaper and cheaper. While this might be seen as a short-term pain for developers, it’s better for all in the long-term.

More information:

Powered by VBProfiles

VentureBeat’s VB Insight team is studying marketing and personalization... Chime in here, and we’ll share the results.
More information:

Powered by VBProfiles

Ipinaskil ni sa

Walang komento:

Mag-post ng isang Komento

Mag-subscribe sa: I-post ang Mga Komento (Atom)