SAN FRANCISCO—On Jan. 1 next year, anyone with a cell phone more than five years old will be unable to access the encrypted web—which includes sites such as Facebook, Google, and Twitter—according to a new plan to upgrade the way those sites are verified.
“It might not be a big deal in New York or San Francisco, where a five-year-old phone is treated as an antique, but in some parts of the developing world up to 7% of Internet users could find themselves suddenly cut off from the world's most popular sites,” explained John Oldshue, founder of SaveOnPhone.com.
“This is a story about encryption and the conflict between how you support the future and the past at the same time,” said Matthew Prince, CEO of CloudFlare, during an interview with BuzzFeed News. “It is important to remember that the Internet is not just guys with the newest laptops and an iPhone 6.”
According to BuzzFeed, the “why” behind the change has to do with how websites tell a user they are secure. Much of the web already is encrypted. The “https” and green lock at start of many URLs is a sign that that site has been certified, and that it is the real version of Google, Facebook, or the FI, rather than an imitation.
Websites are encrypted through “cryptographic hashing algorithm” — a code that is then translated by a browser. The problem, BuzzFeed explained, is that the current version, called SHA-1, is no longer safe, according to researchers who announced this October that they would be able to break the technology by the end of the year. So the CA/Browser Forum, the industry group that sets encryption policy, announced that as of midnight Jan. 1, it will no longer issue SHA-1 certificates. Instead, it’ll be opting for the new, stronger SHA-2 certificates.
“What the folks on the CA/Browser Forum say is that we should force people to move into the future, and that is a compelling argument. But we were studying what the potential effects of this were… and the problem is that people across the world, most of them in the developing world, use old phones or desktops that don’t update themselves, and they won’t be able to access the internet,” Prince told BuzzFeed. “We didn’t want to be hyperbolic. We wanted to be realistic. For the developing world, on average, 4% to 5% of visitors will simply be cut off.”
Some of the most affected countries will be Yemen (5.25% of browsers), Egypt (4.8%), and China, with over 6% of the country no longer being able to safely access encrypted sites. Overall, Prince said 37 million people could be affected.