Get everyone to upgrade their browser. Generally, if they're browsing with
an old, shitty browser it will only work with SSLv2 and SSLv3 / SHA1, and
will not understand TLSv1.2.

It's a basic yes/no threshold, if their browser is newer than a certain
version number, it supports TLSv1.2 and SHA256. Get them to find the About
-> Version box for their browser and tell you the version.

Anything recent, whether Chrome, Firefox, Opera, IE, Edge, whatever will
understand TLS v1.2 and SHA256.

Having people complain sucks, but it is not an ISP's responsibility to
ensure that your client device (PC, laptop, tablet, whatever) has the
latest OS updates and software versions on it. It's a very low threshold to
meet - if they take their old PC into some repair shop, all it needs is a
fresh install of Windows 7 home + automatic updates turned on. If they
actually let their PC download and install all their automatic updates,
even if they insist on using IE (ughhh....), they'll be covered.


On Tue, Dec 22, 2015 at 9:47 AM, Ken Hohhof <[email protected]> wrote:

> Has anyone figured out if we should expect a flood of customer calls on
> January 1 related to deprecation of SHA-1 certificates?
>
> I keep seeing articles predicting Internet doomsday on January 1, 2016.
> But it looks to me like that's just the date CA's stop issuing new SHA-1
> certs and browsers will not accept SHA-1 certs ISSUED after January 1,
> which shouldn't happen anyway.  And that January 1, 2017 (or possibly
> earlier) is when OS and browser vendors may stop accepting older SHA-1
> certs.
>
> So wouldn't that be the date when we start getting customer calls, not
> January 1?
>
> Of course, I'm making the assumption that if a site that used to work now
> gets an error message, customers will call us assuming "the tower is down"
> or "my ISP is blocking sites".  Who else are they going to call?  Google?
> Microsoft?  The site owner who didn't get an updated cert?
>
>
> https://googleonlinesecurity.blogspot.ro/2015/12/an-update-on-sha-1-certificates-in.html
>
>

Reply via email to