Skip to main content

Facebook Tells Developers To Adopt SHA-2 Hash Function By October 1

Facebook announced that developers that build Facebook-connected apps will have to use the SHA-2 hashing function by October 1 or their apps will stop working with the service.

The SHA-2 set of cryptographic hash functions was designed by the NSA and was first published in 2001. Because of that, there may be a worry that SHA-2 isn't secure or could be backdoored. However, SHA-2 has also been used by the Bitcoin network since its launch in 2009. If there was such a vulnerability in it, it might have been found by now, as attackers would have much to gain from directly exploiting the Bitcoin network.

Facebook is following Google, Microsoft and Mozilla, who have already announced plans to phase out support for the currently used SHA-1 hashing function in the next two years. The difference is that apps will no longer be able to connect with Facebook if SHA-1 isn't replaced with SHA-2 by October 1, 2015, while the others are taking a more gradual approach.

Google has already been criticized for starting to label HTTPS connections that use certificates signed with SHA-1 and are valid past January 1, 2017 as untrustworthy. By pushing for mandatory use of SHA-2 by October 1 of this year, Facebook seems to be setting an even more aggressive timeline for the sunsetting of the SHA-1 function.

However, Facebook's timeline isn't quite as crazy as it may sound. The Certificate Authority and Browser Forum has recently published new Baseline Requirements for SSL where CAs have to stop using SHA-1 signatures for their certificates by January 1, 2016. Facebook said that it will update its servers to stop accepting SHA-1 connections before this date, on October 1, 2015.

Facebook recommended that developers check their apps, SDKs, and devices that connect to Facebook to ensure they support the SHA-2 standard. If they already support it, then no changes will be necessary.

Follow us @tomshardware, on Facebook and on Google+.