Is your browser in the Goldilocks zone?

If your web browser is too old, you will not be able to access sites using strong security.
If your web browser is too new, it will prevent you accessing sites with weaker security.

So most corporates will need to make sure their browsers are just right – the Goldilocks zone – not too weak, but not too secure.

There are two pesky algorithms at the bottom of this: SHA1 and RC4.


SHA1 is a hashing algorithm used in TLS connections; but it has been known for a while that with increases in computing power, it is weak. It has been replaced with SHA256, commonly SHA2 for short. This is good, however, it leaves a legacy to deal with.

Some web sites still operate with SHA1 certificates (one million sites according to Netcraft). This is particularly a problem with bespoke corporate applications running on internal web sites.

Come January 1st, 2017, an increasing number of browsers, including the latest releases from Microsoft, Firefox and Chrome will simply not accept SHA1 certificates. These sites will be cut off from new browsers.  (Microsoft have also hinted this date could come forward to June 2016).  Chrome is already showing warnings to users accessing SHA1 sites.

You could use an old browser (not recommended due to known vulnerabilities, etc). However, if you use a browser that is too old, it will not be able to handle SHA2. So new sites running SHA2 only will be cut off from old browsers.

The following graphic from Cloudflare gives a useful summary:

Goldilocks Zone browser blog
Image Copyright – CloudFlare



SHA1 is not the only issue, the RC4 cipher is deprecated too, and browsers are withdrawing support. This has fewer potential implications, but legacy, bespoke in-house applications could have an issue.

How did we get here?

We’ve known for many years that we must patch, and keep software up to date, to mitigate malware.  We’ve known that using TLS is good to maintain our privacy, but we seem to have overlooked the details of exactly how those TLS connections are working.

While most commercial services are migrating for latest algorithms, many bespoke / internal applications have become left behind, and it is these services that are likely to be the cause of headaches as browsers refuse to access SHA1.

We have similar issues with SSL migration too.  We know SSL is insecure, and you should be using TLS.

What should you do?

First and foremost, you should use a current, fully patched browser for accessing anything on the Internet. The malware / ransomware risk of old browsers is just too high to use anything less.

My recommendation is you take an audit of all the business critical applications using TLS, and determine which use SHA1. At the same time hunt down anything using SSL.

Then plan to upgrade these (where possible) to using SHA2, by December 31st, 2016 at the latest and if not before. Where this is not possible you need to determine dual-browser strategies.

Of course, you could always call Qonex for help too…