Yeah - as far as I know, CA's will just stop issuing SHA1 certificates as
of Jan 1 2016.  Chrome (and FF probably) have been issuing 'warnings' for
SHA1 certificates for quite some time now.  As you said, I think the real
problem (if any) will be in 2017 when Chrome and other vendors will present
hard/block errors for *any* SHA1 cert.

With this being said, people should have been testing SHA2 for quite some
time now.  Realistically, the only clients that should have problem with it
are very old (pre-SP3 XP, IE6, unpatched Windows 2003, old mobile operating
systems, etc).  We haven't really seen any issues other than with these old
legacy clients at $job, and we have been migrating everything to SHA2 for
the past year.

Josh



On Tue, Dec 22, 2015 at 12:47 PM, Ken Hohhof <[email protected]> wrote:

> Has anyone figured out if we should expect a flood of customer calls on
> January 1 related to deprecation of SHA-1 certificates?
>
> I keep seeing articles predicting Internet doomsday on January 1, 2016.
> But it looks to me like that's just the date CA's stop issuing new SHA-1
> certs and browsers will not accept SHA-1 certs ISSUED after January 1,
> which shouldn't happen anyway.  And that January 1, 2017 (or possibly
> earlier) is when OS and browser vendors may stop accepting older SHA-1
> certs.
>
> So wouldn't that be the date when we start getting customer calls, not
> January 1?
>
> Of course, I'm making the assumption that if a site that used to work now
> gets an error message, customers will call us assuming "the tower is down"
> or "my ISP is blocking sites".  Who else are they going to call?  Google?
> Microsoft?  The site owner who didn't get an updated cert?
>
>
> https://googleonlinesecurity.blogspot.ro/2015/12/an-update-on-sha-1-certificates-in.html
>
>

Reply via email to