On Monday, 7 November 2016 13:11:50 UTC, Phillip Hallam-Baker wrote: > None of the current browser versions support SHA-1. Yes, people could in > theory turn it back on for some browsers but that isn't an argument because > the same people can edit their root store themselves as well. Yes people > are still using obsolete versions of Firefox etc. but do we really think > that SHA-1 is the weakest point of attack?
1. Browsers do still trust SHA-1 certificates. 2. This attack can produce a working CA under the control of the attacker. Thus while it's not the most likely attack it makes up for that by being extremely serious. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
