Tens of millions of Internet users will be cut off from encrypted webpages in the coming months unless sites are permitted to continue using SHA1, a cryptographic hashing function that's being retired because it's increasingly vulnerable to real-world forgery attacks, Facebook and Web security company CloudFlare have warned.

Facebook said as many as seven percent of the world's browsers are unable to support the SHA256 function that serves as the new minimum requirement starting at the beginning of 2016. That translates into tens of millions of end users, and a disproportionate number of them are from developing countries still struggling to get online or protect themselves against repressive governments. CloudFlare, meanwhile, estimated that more than 37 million people won't be able to access encrypted sites that rely on certificates signed with the new algorithm.

Both companies went on to unveil a controversial fallback mechanism that uses SHA1-based certificates to deliver HTTPS-encrypted webpages to people who still rely on outdated browsers. The remaining, much larger percentage of end users with modern browsers would be served HTTPS pages secured with SHA256 or an even stronger function. The mechanisms, which both companies are making available as open-source software, will allow websites to provide weaker HTTPS protection to older browsers while giving newer ones the added benefits of SHA256. Facebook is deploying the plan on most or all of the sites it operates, while CloudFlare will enable it by default for all of its customers. CloudFlare said other sites, including those run by Chinese portal Alibaba, are also implementing it.

In a blog post published Wednesday, Facebook Chief Security Officer Alex Stamos wrote:

We don't think it's right to cut tens of millions of people off from the benefits of the encrypted Internet, particularly because of the continued usage of devices that are known to be incompatible with SHA-256. Many of these older devices are being used in developing countries by people who are new to the Internet, as we learned recently when we rolled out TLS encryption to people using our Free Basics Platform. We should be investing in privacy and security solutions for these people, not making it harder for them to use the Internet safely.

Both he and CloudFlare officials also called for changes in the official baseline requirements mandated by the CA/Browser forum, the industry group that sets encryption policy for certificate authorities and browsers to follow. Under the proposal, the forum would adopt a new class of certificate known as the LV, short for legacy validated. It would be issued to organizations that have demonstrated they offer SHA256 certificates to modern browsers. Current requirements call for SHA1 to be retired on the first of the year with no exceptions.

Becoming Facebook

Like all hash functions, SHA1 takes a collection of text, computer code, or other message input and generates a long string of letters and numbers that serve as a cryptographic fingerprint for that message. Even a tiny change, such as the addition or deletion of a single comma in a 5,000-word e-mail, will cause a vastly different hash to be produced. Hashes are useful only when they're unique. The moment two different message inputs produce the same hash, the so-called collision can open the door to signature forgeries that can be disastrous for the security of banking transactions, software downloads, and website communications.

SHA1 has long been considered theoretically broken because it was known to be susceptible to collision attacks. The ever-increasing speed of computer chips have gradually made such attacks within the reach of nation states and even criminal enterprises. In October, an international team of researchers warned that it might cost from $70,000 to $120,000 to carry out a limited collision attack on SHA1. At the time, the function was used to digitally sign an estimated 28 percent of the Internet's digital certificates. As a result, Internet companies put SHA1 on an accelerated retirement path, lest the weakness be exploited to generate certificates that cryptographically impersonate Google, Facebook, or other websites. All major browsers support SHA256, but that support isn't available for some people, most notably those using Windows XP prior to Service Pack 3 or devices running Android prior to the Gingerbread version.

The proposal by Facebook and CloudFlare to roll back some of those changes touched off howls of dissent from some security experts, including Ryan Sleevi, a Google employee who is a member of the Chromium cross-platform crypto team. In the hours after the proposals were announced on Wednesday morning, Sleevi's Twitter stream lit up with criticisms. "There's just perverse economies at play; need CAs to stop selling X in order to browser to block X," he wrote in one, referring to the browser-trusted certificate authorities.

@alexstamos There's just perverse economies at play; need CAs to stop selling X in order to browser to block X — Ryan Sleevi (@sleevi_) December 9, 2015

For his part, Stamos seemed to anticipate the controversy. "This is not an easy issue, and there are well-meaning people with good intentions who will disagree," he wrote in his blog post. "We hope that we can find a way forward that promotes the strongest encryption technologies without leaving behind those who are unable to afford the latest and greatest devices."