The slow death of old standards and Facebook's role
Facebook sits at the crossroads of two outdated standards that combine security problems with broad compatibility.
Nearly 1.5 billion people worldwide use Facebook. That’s roughly in line with the number of Android devices and Windows PCs in use, and somewhat larger than the billion-odd iOS devices ever sold. Facebook isn’t an operating system, even though it’s a platform: It’s a base on which Facebook pushes out its own software and other parties develop and deploy apps that run on the Facebook infrastructure.
Thus, the decisions it makes have broad repercussions, especially because its users cut across every operating system and browser, through native and web apps. Facebook sits at the juncture of two significant technology challenges, which have roots years in the past, and which both threaten the safety and security of Internet users.
The never-ending death of Flash
I come not to bury Flash, but to praise it. The technology was once invaluable, then trouble, then a morass of exploitable security issues, and now a terrible, terrible zombie. Over five years after Steve Jobs declined to participate in Adobe’s hallucination that Flash could run effectively on iOS—Adobe was never able to get this to work with Android even with Google’s cooperation—the graphics-software giant threw in the towel December 1.
Security researchers have said to stop using Flash for years, and the tone and intensity of that warning only increased in 2015. Technically, Adobe just renamed its Flash-creation tool, which can still output Flash-compatible files, but it’s the final admission of defeat.
Yet Flash lives on because it’s so embedded (literally) in places like Facebook. Google was able to retool YouTube over time to rely more heavily on HTML5, and offer it preferentially to browsers that can handle it, but even in the latest version of Safari, YouTube’s HTML5 player is substantially less full-featured than the Flash version. But it’s all getting better.
Facebook just moved almost entirely away from Flash earlier this month for videos hosted on its site. It’s still allowing Flash for apps built for its site, although it’s trying to move away from that, and giving Adobe “security information” in the meantime.
Both I as an individual and Macworld as a resource recommend disabling Flash entirely. If there’s a specific purpose for which you need it, make sure you keep it up to date, and use ClickToPlugin for Safari to prevent automatic loading. It lets you whitelist sites, but it prevents by default all sorts of auto-play plug-in media. You can enable a built-in feature for Chrome and configure options in Firefox.
Facebook’s continued support for Flash keeps users at risk even as the company isn’t at fault for picking the right cross-platform desktop interactive solution at the time it did. It should hasten efforts to get rid of Flash entirely, and that will eliminate the vast majority of remaining legitimate use.
Check, but verify
Facebook also occupies an odd position in regards to digital certificate security for secure web connections. As I wrote recently, a technology that allows websites’ secure connections to be cryptographically verified as originating from a given domain name has aged past usefulness. The SHA-1 standard has already been superseded by a far-superior SHA-2 suite, but the older version lingers on. It’s not known to be broken yet, allowing spoofing of secure sites, but it’s on a very fast track to that end.
After years of wrangling, this December 31 was supposed to be the cutoff date for the certificate authorities (CAs) who create these counter-signatures for websites to issue SHA-1 certificates. And those certificates were supposed to expire no later than December 31, 2016. Every major browser has a different strategy on whether it will warn, accept, or block SHA-1 certificates during 2016, varying also by when they were issued or expire. Google may accelerate shutting down Chrome for accepting SHA-1-signed connections by as early as mid-2016.
But Facebook and CloudFlare don’t want SHA-1 to disappear quite yet. There are many millions of people in the world who are using outdated mobile and desktop operating systems that can’t support newer certificates. If SHA-1 certificates disappear entirely, those older systems’ browsers won’t be able to make secure connections. Then those visitors will either drop down to a sniffable insecure link or be unable to use a site or service at all.
Facebook’s role here is generally more benign. It wants to keep serving an outdated SHA-1 certificate to these older browsers, using sensing that would make sure to only feed an outdated method. That sounds fine by itself, but this requires a change in the agreed-upon transition, so that the CAs would be able to issue limited-purpose legacy certificates.
The trouble is, when SHA-1 breaks, we won’t know it. Governments will almost certainly have the computational capacity and ability to create a valid forgery and use it before academics and independent researchers can prove a definitive crack. People with older computers and devices using outdated browsers are predominantly located in countries in which there’s less of a democratic process at work, rendering them more vulnerable if their government deploys such interception. (Anything governments can do, criminals can too, only slightly slower.)
Facebook doesn’t want to cut off millions, but instead of investing in perpetuating SHA-1, I’m surprised they didn’t try to release a browser for old flavors of Windows XP and Android that would be able to take advantage of an only slightly newer cryptographic protocol.
Putting bandages all over the Internet comes with a price of reliability and security. Facebook isn’t a bad actor by any means, but its temporary solutions leave some of its most outdated and vulnerable users at the greatest risk.