In my previous blog post, "SHA-1 Deprecation: Pro, Con, or Extend?", I was a bit sarcastic about an anonymous company wanting to keep producing SHA-1 out of lazy greed rather than helping customers.
Here's an update by Symantec about their latest actions.
Basically, the proposal to extend SHA-1 certs was withdrawn because during the ballot debate, so many new attacks against SHA-1 were revealed that.... oh the embarrassment.
So now companies can request SHA-1 certs as long as they expire on Dec 31, 2016. Luckily one good thing happened: non-legacy browsers are removing their trust for the SHA-1 root certs, which will make them more secure and will serve as a canary in the coalmine.
In other words, if you are still using SHA-1 certs, you will start to get warnings from you non-mobile users (easy to fix) now, giving you an indication that you need to start fixing your mobile users (you have until December 2016).
However I don't think that's enough of a "signal". It is still possible for companies to be oblivious to the situation. I'm no crypto expert, but I think people should consider two things to "raise awareness":
- SHA-1 certs should expire much sooner. Imagine if people had to renew them every month. That would keep the issue visible. If you get a cert that is good for 12 months, it is easy to forget about the issue because there are bigger fires to put out. Monthly (or 60-day) renewals would keep the issue in the forefront of people's minds.
- SHA-1 certs should cost $10,000. This would introduce economic pressure to stop supporting legacy devices, which would put pressure on legacy devices to upgrade.
The real problem, however, is vendors making systems that are stuck with old software and can't be fixed. I wish there was something we could do to make it economically infeasible for vendors to make such devices. Right now it is cheaper to produce a product with no upgrade mechanism, which means that device is going to make like difficult for everyone else in a few years (or in a few minutes if that's when the next Heartbleed or ShellShock arrives). Wouldn't it be great if, instead, any time a vendor was about to create a non-upgradable system the C++ compiler would detect this and refuse to compile. Or maybe it should compile but output a warning that in n days it will erase the developer's hard disk instead.
I can dream, can't I?