Facebook has stopped SHA-ring, a year later than it promised
The Social Network™ revoked its SHA-1 certs in November, but promised to stop serving traffic with the algo last year
Facebook's quietly taken its SHA-1 certificates out behind the data centre with an electrified degaussing machine.
The SHA-1 hashing algorithm was declared unreliable back in 2005. By 2010, hackers cracked a password hashed with SHA-1 using just US$2 of resources rented from Amazon Web Services. In 2015 researchers blew the whole routine with $75,000 of AWS resources.
Facebook did likewise in 2015, promising deprecation by October 1, 2015.
It now turns out The Social Network™ kept SHA-1 around a little longer, as a new post reveals the company was worried that some of its users accessed its services on devices that could not support TLS certificates that improve on SHA-1.
The post by production engineer Wojciech Wojtyniak also reveals that the company stopped serving SHA-1 traffic in November, “and there has been no measurable impact.”
“As a result, we are going to revoke our SHA-1 certificates,” Wojtyniak writes. “We look forward to the industry's movement toward greater use of stronger certificates like SHA-256.” ®
Sponsored: Becoming a Pragmatic Security Leader