undefined | Better HN

0 pointspersonZ11y ago0 comments

If going SHA-2 only requires a request flag, why so long for a transition? Is there some downside (e.g. old clients that don't support it) that holds Google off?

0 comments

8 comments · 3 top-level

cbhl11y ago· 4 in thread

Windows XP SP 2 (SP 3 is fine) and early Android, I believe, are the clients that don't support certs later than SHA-1.

drdaeman11y ago

Just curious — does X.509 support multiple signatures, so both SHA-1 and SHA-2-based sigs could be included, one for legacy user-agents and one for modern ones?

cwyers11y ago

It has to be so frustrating to Google that the people responsible for Android make it so hard for users to upgrade to versions that support SHA-2.

GeneralMayhem11y ago

It's not Google's fault the telecoms cripple every phone they sell.

1 more reply

Someone123411y ago

There are also other (mostly unsupported) mobile devices which don't. Like old ebook readers which have browsers for some reason.

jtheory11y ago· 1 in thread

Lots of old clients still out there, including people who don't have the option to upgrade.

A couple of years ago we tried upgrading our certificate to SHA-2, and rolled it back within an hour, because it broke the site for several of our customers.

It might work now; IE6 users have (finally!) dropped to about 0, but we certainly have tons of IE7 users, and I'll have to look up versions of Windows they're using before we try it again.

We work with hospitals whose IT departments who need to control changes to their computing environments extremely carefully, and upgrades are unfortunately quite expensive and difficult for these kinds of environments.

yuhong11y ago

Fortunately, hopefully most enterprises moved to SP3 years ago. MS officially dropped XP SP2 support in mid 2010, and while MS does do Custom Support for older service packs, of course I hope no one is relying on it now. I think Custom Support for WinXP SP3 is IE8 only after the first year BTW.

agwa11y ago

First, it requires more than just a request flag, since that flag only affects the signature algorithm in your certificate signing request. Your certificate authority has to actually support signing certificates with SHA-2, and also needs a chain that uses SHA-2 signatures. There are some certificate authorities that are lagging behind here, such as RapidSSL.

Second, there are old clients out there that still don't support SHA-2. Namely, pre-SP3 Windows XP and pre-2.3 Android.

Edit: originally this comment said that only IE on pre-SP3 Windows XP was affected; apparently Chrome on pre-SP3 is as well, presumably because it uses some system libraries.

j / k navigate · click thread line to collapse