Facebook has joined Microsoft's and Google’s efforts to phase out the use of SHA-1 to sign apps and websites.
From October 1 this year, apps that don’t support SHA-2 (or SHA-256) certificate signatures won’t be able to connect to Facebook, the company said on Tuesday, announcing it’s move to push third-party app developers toward a more secure cryptographic standard for signing apps.
“As part of our commitments to helping developers build secure apps and protecting the people who use Facebook, we’re updating our encryption requirements for Facebook-connected apps to reflect a new and more secure industry standard,” Facebook said today.
That deadline may force a lot of developers to move off the widely used SHA-1 hashing function, which has long shown signs of being weak and due to this has been deprecated by Microsoft, Google and organisations like the certificate authority (CA) and Browser Forum.
Microsoft in 2013 advised customers and certificate authorities its Root Certificate Program for Windows will reject SHA-1 SSL certificates on January 1, 2017 and should be replaced by SHA-2 certificates by that date.
Google is handling the phase out a little differently for Chrome, in September last year a more aggressive timeline based on a system of escalated warnings from Chrome 39 (released in November last year) to warn users that the HTTPS site is either “secure, but with minor errors”, “neutral, lacking security), or “affirmatively insecure” when they are signed with SHA-1.
At the time of Google’s policy update, some observed that the search company aimed to pressure website owners in to moving beyond SHA-1 by “threatening them with user confusion”.
Prior to this, the CA/Browser forum in 2011 deprecated SHA-1’s uses when it published the Baseline Requirements for SSL.
Facebook points out that the browser forum has now set a “full sunset date for January 1, 2016”, and is looking for developers of Facebook-connected apps to beat that deadline by a few months.
“We'll be updating our servers to stop accepting SHA-1 based connections before this final date, on October 1, 2015. After that date, we'll require apps and sites that connect to Facebook to support the more secure SHA-2 connections.”
“We recommend that developers check their applications, SDKs, or devices that connect to Facebook to ensure they support the SHA-2 standard. If your app already supports this standard, then no action is necessary. But if your app relies on SHA-1 based certificate verification, then people may encounter broken experiences in your app if you fail to update it.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.