|
|
|
|
|
|
by specialk
3836 days ago
|
|
|
There is a great clourflare article [1] that has talked about this before when they first suggested LV certs. > The seemingly good news is that globally, SHA-2 is supported by at least 98.31% of browsers. Cutting 1.69% off the encrypted Internet may not seem like a lot, but it represents over 37 million people. There is also an interesting discussion in Security Now #538 [2] there is also a transcript of the show [3]. Skip to page 2 of 39 just where Leo says "Yeah". Android 2.2 and Windows XP SP 2 are on the list of things that don't support SHA-2. These devices exist particularly in the developing world. It sends the wrong message, to the developing world in particular, if we don't support HTTPS for them. It encourages websites in areas where it isn't 1.69% of their users but maybe 5% of their users to just not enforce TLS. TLS with a SHA-1 signed LV cert is better than no security at all. Facebook's also has a cool server add-on to dynamically serve LV certs to those who need them is very promising. If it is in-production at Facebook it is bound to be good. [1] https://blog.cloudflare.com/sha-1-deprecation-no-browser-lef... [2] https://www.grc.com/securitynow.htm [3] https://www.grc.com/sn/sn-538.pdf |
|
|