What is not stressed in that article is that those two companies are NOT doing folks a favor, but just the reverse. We know that sha1 is weak and broken. Thus using it and especially patching methods to "jury rig" a user's ability to depend on it is crazy. Its time to move on and provide secure means to surf the web. The internet community has clearly determined its not safe so why countermand that fact and "patch" a way that may well hurt someone?
Still a really bad idea to use it. Would a website be so cheap not to generate a modern certificate? I know the answer for some is yes but I bet its really because they are being lazy (who cares) and not cheap. Examples in the USA would point to yet again how corporations bear NO responsibility for allowing their members to get hacked. Also its tough to be sympathetic to those folks that want to run so "open" to known flaws. I see their hardware is many years behind what everyone around me is using. Are they still doing WEP on their routers too?
Close, we still have routers with WPS and 12345670 as the password, even when WPS is disabled (like it should be). http://www.neowin.net/news/critical-wps-vulnerability-discovered-in-bell-canada-home-hub-routers
Even the largest bank of Asia, State Bank of India is still using SHA1. I doubt most of the sites would care unless Mozilla, Microsoft and Google took initiative to block these certificates.
Unless of course their members being hacked meant that the BANK pays for all the losses and time lost. Around here, there is NO corporate responsibility being imposed on organizations that don't protect users.
My other concern here is that we end up with a blended solution where your browser decides whether to use SHA1 or SHA2 based on capabilities. It really would open the path to downgrade attacks. My only concern is the impact on people from poorer countries who may have difficulties because there device does not support SHA2. In reality I dont know how big an issue this is. Unfortunately, I think it is time to move on regardless of the impact.
Worse than "no responsibility" - since CISA, it's immunity. Which more or less mandates indiscriminate "sharing" to ensure the CYA part.
Firefox ban on SHA-1 certs causing some security issues, Mozilla warns http://arstechnica.com/security/201...s-causing-some-security-issues-mozilla-warns/
