Microsoft Follows Mozilla In Considering Early Ban On SHA-1 Certificates

itwbennett writes: Following the first successful collision attack on the SHA-1 hashing algorithm last month, Mozilla said that it was considering a cut-off of July 1, 2016 to start rejecting all SHA-1 SSL certificates, ahead of an earlier scheduled date of Jan. 1, 2017. And now Microsoft is considering blocking the hashing algorithm on Windows by June next year.

Re:Overrides

[Zuriel]

You can join the ranks of people holding on to WinXP virtual machines because they need them to administer that one device that needs a certain version of Java 1.4 and Firefox 3.6.

Try not to be misguided

[GuB-42]

It's fine rejecting insecure certificates but sometimes, I'd rather have browsers get their priorities in order.
If you go on a SSL website that uses a self-signed certificate or use a slightly outdated one, you are presented with a scary warning page with multiple clicks needed to get to it. However, plain HTTP goes right through even though it is less secure than SSL with any bogus certificate.

Instead of a ban, I'm all for a rating system, like :
- Strong : everything OK, strong crypto
- Medium : slightly outdated, weaker crypto (SHA-1 could be on this level)
- Weak : self-signed, completely outdated
- None : HTTP
- Dangerous : revoked, mismatched certificate, suspect behavior (such as a decrease in security from last visit)
Only the "dangerous" category should trigger a warning, for the other categories, a different "lock" icon should be sufficient. Like the crossed-out "https" in Google Chrome.