Facebook Will Stop Supporting SHA-1 in October

Monday June 8, 2015

On June 2, 2015, Facebook announced that it would stop supporting Facebook-connected apps that were signed with SHA-1, as of October 1, 2015.

“These changes are part of a broader shift in how browsers and web sites encrypt traffic to protect the contents of online communications. Typically, web browsers use a hash function to create a unique fingerprint for a chunk of data or a message. This fingerprint is then digitally signed to prove that a message has not been altered or tampered with when passing through the various servers and systems between your computer and Facebook’s servers.” [https://developers.facebook.com/blog/post/2015/06/02/SHA-2-Updates-Needed/]

In its announcement, Facebook acknowledged that the CA/Browser Forum’s Baseline Requirements for SSL sunset SHA-1-based signatures as of January 1, 2016, but that it would be “updating [its] servers to stop accepting SHA-1 based connections before this final date, on October 1, 2015. After that date, we’ll require apps and sites that connect to Facebook to support the more secure SHA-2 connections.”

Applications, SDKs, and devices that connect to Facebook will all need to support SHA-2, but those that still rely on SHA-1-based certificates will not work with Facebook. The CA Security Council has prepared a whitepaper explaining some of the issues relevant to this transition.

This article was originally published by the "CA Security Council". In 2021 the CASC was restructred and renamed to the "Public Key Infrastructure Consortium" shortly "PKI Consortium".

Learn more about the PKI Consortium
Participate in our community discussions and/or join the consortium