undefined | Better HN

0 pointsmlissner11y ago0 comments

What's weird though is that they have a consortium. They could have all agreed simultaneously to stop issuing SHA1 certs years ago and at no market loss. But they didn't.

0 comments

4 comments · 2 top-level

mike_hearn11y ago· 2 in thread

No. They've been quite clear about this. CA's are still selling SHA1 certs because customers are asking for them. They're asking for them because they're compatible with more apps/devices and - until now - browsers treated them the same. So why sacrifice compatibility for no improvement.

The Chrome team are right to push this along, but I do have some sympathy for the CA's here too. I read the whole discussion and it's pretty clear that there was some epic miscommunication going on here. Notably Google thinks that removing the padlock icon is not "deprecation" according to the timetable Microsoft established, but all the people buying certs disagree; that's why they're doing it.

avz11y ago

> So why sacrifice compatibility for no improvement.

No improvement? How about improvement in security?

mike_hearn11y ago

The reality is most people running websites that use SSL are not security experts and cannot evaluate the weakness of SHA1 vs SHA2. So they trust the defaults, which are SHA1 (in e.g. openssl). Their goal is to get the padlock, not to achieve some other notion of security.

VLM11y ago

Its just like general aviation, changing anything means anyone who got p0wned (or crashed) in the last decade is going to file a david vs goliath lawsuit with the change itself as evidence of negligence. But if they change nothing, then they admit to no mistake.

j / k navigate · click thread line to collapse