Sunsetting SHA-1

Tuesday, 22 December 2015

Twitter takes the responsibility of protecting our users and their data seriously. Over the years, we’ve implemented many security defenses such as content security policy, perfect forward security, and privacy protecting email security. We’ve also been consistently recognized by organizations such as the Online Trust Alliance for our commitment to security. As a result of ongoing security research into the weaknesses of SHA-1 we believe it’s time to move on from SHA-1 certificates.

We’re doing our part by implementing SHA-256 certificates on our Twitter endpoints, and using cert switching to only serve SHA-1 certificates if we detect older clients without SHA-256 support. However, we are still concerned that the overall CA/B forum migration plans don’t provide a sensible path forward for users whose low-end devices cannot support SHA-256 certificates.

In our testing, we calculate that between 3% and 6% of Twitter users are on older devices that would be unable to access websites via HTTPS after the SHA-256 migration is complete. Many of these people are in parts of the world where it is prohibitively expensive to buy a new device. This fact puts these users in a difficult situation, faced with only two options: One, have their traffic trivially monitored as it passed over unencrypted HTTP; or two, have no access at all to the numerous websites that are only accessible over HTTPS.

Facebook and CloudFlare have also discussed their concerns on this, and presented an amended proposal to the CA/B forum to address the issue of older devices. This proposal ensures that the SHA-256 migration moves forward for the vast majority of modern web devices that are regularly updated. For the small percentage of old devices that cannot support SHA-256 (which does represent millions of people), their proposal outlines a reasonable path that provides continued access for a temporary period with SHA-1 certificates issued – with strict additional controls.

We support the amended proposal that has been put forth by Facebook and CloudFlare to the CA/Browser forum for several reasons:

  1. The proposal ensures the continued migration to SHA-256 for all mainstream devices.
  2. It only allows legacy validated SHA-1 certificates when a domain also provides SHA-256 support.
  3. Legacy validated SHA-1 certificates are only available per specific requirements and will still sunset in March, 2019.
  4. Increased randomization of serial numbers in legacy validated certificates results in less probable SHA-1 collisions.
  5. In the event an attack is discovered that forces the improper use of SHA-1 certificates, the owners would terminate use of these legacy validated certificates.

Balancing security and accessibility is challenging, especially when considering older devices and transitions in technology. Twitter supports a path that provides maximum security for the majority of users while also ensuring those with low-end devices are not forced to choose between losing access or being vulnerable to privacy-invading options over HTTP.