SHA1 certificates for secure SSL/TLS communications are deprecated due to known computational vulnerabilities. To ensure secure communications, a forced deprecation sounds reasonable (i.e. refuse to connect to these). That has the side effect that it will lock out many users who are unable to use stronger hashes such as SHA256. However, if a fallback to SHA1 is provided (as Facebook is proposing), everyone will be vulnerable to SHA1 downgrade man-in-the-middle attacks.
What to do?
(Score: 5, Insightful) by pendorbound on Friday December 11 2015, @05:17PM
Two options:
1) A small number of users get an obvious error message that says they can't connect securely.
2) The entire world thinks they're connecting securely while secretly getting downgraded and probably having no idea there's an MitM in place.
Break the 7%. No question it's better than see an error & know you're insecure than have get no warning that you're insecure.
(Score: 3, Interesting) by tempest on Friday December 11 2015, @05:54PM
I find it hard to believe this 7% isn't finding most of the internet dysfunctional already. If you're using windows XP with service pack 2 or lower, you have a lot more issues than this.
The bigger problem is that you may not get an "obvious" error. I had this kind of issue a few weeks ago when a vendor was complaining they couldn't connect to a website because of "networking problems". Eventually I tracked it back to the version of IE they were using didn't support the required encryption to connect to the site. But the error was "cannot connect" with the usual Microsoft kind of "there could be a million things that are wrong" debugging help.
(Score: 0) by Anonymous Coward on Friday December 11 2015, @06:13PM
I have an Ancient GnuSense Laptop that I have not gotten around to upgrading yet. I get similar mysterious failure. Sometimes websites will work for a while, then suddenly refuse to (looking at you ixquick).
I strongly suspect lack of support for newer hash algorithms is the problem.
(Score: 3, Interesting) by Hyperturtle on Friday December 11 2015, @08:05PM
Can I still have the option to visit a site in cleartext?
I promise not to log in if they take away the ability for me to log in and share personal data in clear text.
It may be I just want to read something and don't want to have to replace old hardware to do it.
Sort of like how hard it has become to set up a personal file share that various devices can access without having to fight the requirement for a cloud of some kind. Some hardware is designed to never connect locally and always to some remote service with terms of services that may change...
It'd be nice if there was still an internet out there that was cleartext and low bandwidth and worked on older devices. I'd visit it. I guess there would be less sites due to the ads probably not working on such a model, but I can probably donate to a site following that model. I'd probably set one up myself...like how people used to have geocities pages or use their free 2MB of space given by their dialup provider in amazingly low bandwidth ways...
(Score: 0) by Anonymous Coward on Friday December 11 2015, @10:10PM
You may be interested in Gopher. Browser support has been removed over the years, rather than maintained, however.
I have interest in (but have not tired) CJDNS, but that does not meet your "cleartext" criteria. Gopher should work fine over it though (If you have an IPv6 aware gopher host)
(Score: 2) by Hyperturtle on Monday December 14 2015, @12:37AM
I'll give that a shot. I still like to stumble across telnet BBS's -- some that are in ANSI are a rare treat to behold.