Also, there's no problem (from a Chrome UX perspective) because Mozilla's certificate expires on 7 December 2015 — well before that bad 1 Jan 2017 date, and even before the dodgy 1 Jan 2016 date.
http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html SHA-1 signature algorithms are not per se bad right now; what's bad is certificate chains using SHA-1 that will/would be valid too far in the future. Between now and 1 Jan 2016, and between then and 1 Jan 2017, there is plenty of time to get a new certificate, signed with a SHA-256-based signature function. That's the whole point... On Wed, Sep 24, 2014 at 1:54 PM, Chris Egeland <[email protected]> wrote: > Rick, > > Long story short, upgrading the www.mozilla.org certificate to SHA-2 was > costing them about 145,000 Firefox downloads per week. > > Details on the mozilla.org SHA-2 cert can be found here: > > https://bugzilla.mozilla.org/show_bug.cgi?id=1064387 > > Chris > > On 9/24/2014 4:23 PM, Rick Andrews wrote: >> Kathleen, why is mozilla.org still using a SHA-1 cert? >> _______________________________________________ >> dev-security-policy mailing list >> [email protected] >> https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
