[AlyssaRowan]

They might've passed the WebTrust audit, but I'm still pretty worried about their security posture.

Remember, unless you're pinning your certificate using DNSSEC+DANE or HPKP, in practice any CA in the world can issue certificates for any domain.

Let's recap: It's 2015. They're using SHA-1 for everything (NOOOO!). They're based in China, which has just said it wants to ban encryption. (So has Cameron in the UK, yes, but at least he hasn't won an election yet. Edit: he pledged to if he wins; we have a coalition government, nobody won last time, least of all us! <g>) It looks like they've messed up OSCP, so even their own cert doesn't pass. Oh, and RC4, TLS 1.0 only, check out their login server: https://www.ssllabs.com/ssltest/analyze.html?d=login.wosign.... - let's put the (slightly) stronger ones at the end, everyone! Ugh.

Let's Encrypt will do it properly. Or Else™. ;)

[nailer]

You're completely right, and up voted because THIS IS AN SHA1 CERTIFICATE, IT WILL TRIGGER BROWSER WARNINGS, YOU DONT WANT IT should remain the top post, but David Cameron did actually win an election and is currently the Prime Minister of the UK.

[_b8r0]

In the spirit of your most thorough pedantry, I thought I'd correct your correction to say that OP is right, David Cameron didn't win an election, he won a seat as an MP.

None of the parties achieved the 326 seats required for an overall majority under the First Past the Post system. The Conservatives won the largest number of votes and seats but under FPTP rules were 20 seats short.

[nailer]

Good point. Such a pity the conservatives elect their own leader with preferential voting but campaigned against the public doing the same.

[blueskin_]

Because it was designed to give undue influence to fringe parties. Real electoral reform would be proportional representation.

[nailer]

Do you have a reference for that? Is Australia trying to give undue influence to fringe parties? Are the conservatives trying to promote fringe candidates?

[blueskin_]

In a leadership election, it's in their interest to have a clear winner with a large majority. In a general election, it's in nobody's interest and indeed, counter to the national interest to have a huge majority.

[alexbilbie]

Or at least electoral boundaries that didn't unfairly benefit Labour

[NKCSS]

They also offer SHA2; only their intermediate cert is SHA1.

[AlyssaRowan]

…and they've signed their own certificates with SHA-1 because…?

[freerk]

...because in China pre-SP3 Windows XP is still alive and doesn't work with SHA2

[AlyssaRowan]

Not the kind of security decision I want to see a CA make!

Which underlies the problems with PKIX: any CA can sign anything, just about. Lowest common denominator. I actually prefer DNSSEC there myself - yes, yes, I know, hear me out for a moment! - because even if it's hierarchical, it's single hierarchical from those who are supposed to control the DNS anyway. (Of course, that still introduces points of attack. It's reasonable for countries to control ccTLDs but I wouldn't mind seeing IANA control the others under international law. And it doesn't really do it very well.)

In practice both have big flaws, but at least one can be used to pin the other so the benefits of both can be realised. Distributed systems may win in the end, but we're only at the start of that journey.

[e12e]

So... they manage to get the lowest denominator of SHA1 and SHA2 (which will probably remain SHA1 forever, but still...) -- because it'd be enough to compromise only one of these?