Hacker News new | past | comments | ask | show | jobs | submit login

They can't refuse to use it? It seems to me that SHA1 should be depracated.



I don't think you understand what the code is doing.

This is verifying certificates for HTTPS connections - not creating them. If they removed the SHA1 verification, you can no longer visit hundreds of millions of sites that haven't updated their certificates yet.

It's the people still using certificates with SHA1 hashes that need to upgrade.


But if browser makers decided not to support the hashes, the website owners would have to upgrade. Why allow them to continue to use weak hashes?


Because there isn't an attack that affects them.


As in, refuse to allow their browser to talk to sites on the Internet?


The percentage of sites using SHA256 certificate is tiny, and most CAs are still SHA1 based.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: