Slashdot Mirror
SHA-1 Cutoff Could Block Millions of Users From Encrypted Websites (csoonline.com)
itwbennett writes: As previously reported on Slashdot, browser makers are considering an accelerated retirement of the older and increasingly vulnerable SHA-1 function. But Facebook and CloudFlare are warning some 37 million users of old browsers and operating systems that don't support SHA-2 will be left without access to encrypted websites. The majority of them are located in some of the "poorest, most repressive, and most war-torn countries in the world," CloudFlare's CEO Matthew Prince said Wednesday in a blog post. Facebook has solved this problem by building a mechanism that allows its certificates to be switched automatically based on the browser used by the visitor.
Errr... a GByte of data? Are you missconfussed with the pushed Windows 10 update?
Firefox was less than 50MB last time I did a full install.
The real problem in this case may end being that the overbloated browsers drop support for older systems.
Rather than guess what they are probably doing, the source code is here. https://github.com/facebook/wa... But you were pretty close. You're right that *some* browsers that *could* get an SHA2 certificate will get the SHA1 version. An improvement would be to present the SHA2 certificate if you're sure that the browser can accept it. Otherwise show the SHA1 certificate. Put a warning page up when presenting the SHA1 certificate suggesting that people upgrade browsers. For those that have older browsers that want the SHA2 certificate but are getting an SHA1, offer an alternative like sha2.facebook.com. I imagine that this is a very small set of users. And as has been mentioned already, certificate pinning is your friend.