Guh, until CF/FB can provide some data that shows users with no upgrade path are genuinely going to be effected by this, and not connections MITM'd by some crappy AV or other random middlebox the LV proposal seems like a pretty silly idea...
Software "with no upgrade path" that hasn't been proven correct relative to a formal specification and deployed in an appropriate context (sufficient conditions to consider it a "not software" black box) should be considered a mistake and the responsible parties should be held accountable for reparations. Complacency with its continued existence is unsustainable.
Obviously this is an idealistic "should", but we need to take every available step to move towards this stance because a policy of limiting the networked universe based on the worst common denominator client results in an inescapable black hole of technical debt.
Open-source software plays into this model beautifully because it makes it much easier to propagate improvements across the entire space of systems. There remain some problems such as langauge interoperability ("best implementation of protocol X is in language Y but our system is written in Z and the Y-Z interop story is bad") which I'd like to see people give more attention. We need to address the quadratic workload of porting/binding every library to every language.
There is a great clourflare article [1] that has talked about this before when they first suggested LV certs.
> The seemingly good news is that globally, SHA-2 is supported by at least 98.31% of browsers. Cutting 1.69% off the encrypted Internet may not seem like a lot, but it represents over 37 million people.
There is also an interesting discussion in Security Now #538 [2] there is also a transcript of the show [3]. Skip to page 2 of 39 just where Leo says "Yeah". Android 2.2 and Windows XP SP 2 are on the list of things that don't support SHA-2. These devices exist particularly in the developing world. It sends the wrong message, to the developing world in particular, if we don't support HTTPS for them. It encourages websites in areas where it isn't 1.69% of their users but maybe 5% of their users to just not enforce TLS. TLS with a SHA-1 signed LV cert is better than no security at all.
Facebook's also has a cool server add-on to dynamically serve LV certs to those who need them is very promising. If it is in-production at Facebook it is bound to be good.
Most releases of Symbian don't support sha2 certs with the system SSL library (which is what the built in browser uses). Many Symbian devices are not upgradable to the release that does support it.
Obviously this is an idealistic "should", but we need to take every available step to move towards this stance because a policy of limiting the networked universe based on the worst common denominator client results in an inescapable black hole of technical debt.
Open-source software plays into this model beautifully because it makes it much easier to propagate improvements across the entire space of systems. There remain some problems such as langauge interoperability ("best implementation of protocol X is in language Y but our system is written in Z and the Y-Z interop story is bad") which I'd like to see people give more attention. We need to address the quadratic workload of porting/binding every library to every language.