Facebook has stopped SHA-ring, a year later than it promised

The Social Network™ revoked its SHA-1 certs in November, but promised to stop serving traffic with the algo last year

Facebook's quietly taken its SHA-1 certificates out behind the data centre with an electrified degaussing machine.

The SHA-1 hashing algorithm was declared unreliable back in 2005. By 2010, hackers cracked a password hashed with SHA-1 using just US$2 of resources rented from Amazon Web Services. In 2015 researchers blew the whole routine with $75,000 of AWS resources.

Which is why the likes of Microsoft, Mozilla and Google have all named kill dates for their wares' use of the hashing function.

Facebook did likewise in 2015, promising deprecation by October 1, 2015.

It now turns out The Social Network™ kept SHA-1 around a little longer, as a new post reveals the company was worried that some of its users accessed its services on devices that could not support TLS certificates that improve on SHA-1.

The post by production engineer Wojciech Wojtyniak also reveals that the company stopped serving SHA-1 traffic in November, “and there has been no measurable impact.”

“As a result, we are going to revoke our SHA-1 certificates,” Wojtyniak writes. “We look forward to the industry's movement toward greater use of stronger certificates like SHA-256.” ®

Similar topics

Other stories you might like

Biting the hand that feeds IT © 1998–2021