Facebook farewells flaky SHA-1

Hashed out of the network October 1

Facebook has set the date: on September 30, the ancient and creaking SHA-1 hashing algorithm will make its tumbril trip and get the chop.

SHA-1, designed by the NSA in 1995, is a one-way algorithm: a block of data is turned into a message digest. The digest can't be turned back into the original message, but serves as a digital signature confirming the authenticity of (for example) the software you've downloaded.

And it's long been on the end-of-life list, because it's vulnerable to collision attacks – different blocks of data can present the same SHA-1 hash, allowing malware to verify as if it were authentic.

From October 1, The Social NetworkTM says, third-party apps signed with SHA-1 will no longer be able to connect to Facebook.

As Facebook's Adam Gross blogs, the move is in line with the Certificate Authority and Browser Forum's intention to sunset SHA-1 by January 2016.

“We'll be updating our servers to stop accepting SHA-1 based connections before this final date, on October 1, 2015. After that date, we'll require apps and sites that connect to Facebook to support the more secure SHA-2 connections”, Gross wrote.

Facebook recommends that “applications, SDKs, or devices that connect to Facebook” be checked for SHA-2 support, to avoid user irritation.

The migration hasn't been without its detractors. Earlier this year, infosec bods told The Register the shift poses challenges. If users see disruption – for example, too many “insecure site” warnings – they fear that trust in the Internet will be undermined. ®


Biting the hand that feeds IT © 1998–2017