Check the SSL Labs test: https://www.ssllabs.com/ssltest/analyze.html?d=hmrcset.trustis.com, rate F that even enabled SSL v2.
Best Regards, Richard On 16 Feb 2017, at 19:04, Nick Lamb via dev-security-policy <dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>> wrote: On Wednesday, 15 February 2017 22:02:50 UTC, Rob Stradling wrote: This currently unrevoked cert has a SHA-1/RSA signature, the serverAuth EKU and CN=hmrcset.trustis.com<http://hmrcset.trustis.com>: https://crt.sh/?id=50773741&opt=cablint It lacks the SAN extension, but that doesn't excuse it from the ban on SHA-1! At time of writing this certificate is installed on a web server, although I think only to re-direct visitors to the plain HTTP site. Whether the CA believed it would be used on a web server or not, that's what was done. https://hmrcset.trustis.com/ It's not clear to me whether this is a brochure site, and thus can just be upgraded or if it's actually part of the described HMRC SET system itself. Either way it's on the web. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy