SHA-1 Cutoff Could Block Millions of Users From Encrypted Websites

itwbennett writes: As previously reported on Slashdot, browser makers are considering an accelerated retirement of the older and increasingly vulnerable SHA-1 function. But Facebook and CloudFlare are warning some 37 million users of old browsers and operating systems that don't support SHA-2 will be left without access to encrypted websites. The majority of them are located in some of the "poorest, most repressive, and most war-torn countries in the world," CloudFlare's CEO Matthew Prince said Wednesday in a blog post. Facebook has solved this problem by building a mechanism that allows its certificates to be switched automatically based on the browser used by the visitor.

Think of all the Oracle users?

[mveloso]

Some of the older Oracle products only support SHA-1. Upgrading to a newer version or Oracle will cost them millions. Won't someone think of the Oracle user base?

Slashdot will remain accessible

[Ksevio]

Fortunately, slashdot will remain accessible as it still hasn't entered the 2010's and added encryption yet!

Re:Facebook -- ???

Nope.

Here's how this spins out.

If you got a nice shiny new SHA-2-only browser, and you go to the real Facebook, it has a SHA-2 cert and everything works, and you're safe
If you got a crappy browser that can't handle SHA-2, and you go to the real Facebook, it shows a SHA-1 cert, which you trust, you are at risk, but only because you've got a crappy browser. Hate the risk? Get a newer browser
If you got a nice shiny new SHA-2-only browser and a bad guy pretends to be Facebook, sends the SHA-1 cert, your browser says "Ugh, insecure, No" and you're safe and the bad guy wasted their time
If you got a crappy browser that can't handle SHA-2 and a bad guy pretends to be Facebook, they might _if they spent a lot of money / resources_ fake you out. So you should have got a nice shiny new browser.