[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The SHA1 sunset
|
From: |
Lars Magne Ingebrigtsen |
|
Subject: |
Re: The SHA1 sunset |
|
Date: |
Tue, 05 Jan 2016 08:07:39 +0100 |
|
User-agent: |
Gnus/5.130014 (Ma Gnus v0.14) Emacs/25.1.50 (gnu/linux) |
Mike Gerwitz <address@hidden> writes:
> Personally, I prefer not to rely on bandages for my crypto.
It is, of course, up to you what you do for yourself.
What we're discussing is what the defaults should be in Emacs. Issuing
warnings to users about something that isn't (yet) a probable issue is a
disservice to our users. If they feel that these security mechanisms
get in the way of getting stuff done, they will, of course, just disable
those mechanisms altogether.
Which is why I asked to statistics of SHA-1 certificates in use today.
The newest one I could find was from April 2015, and at that point 20%
of Alexa Top 1000 web sites were using SHA-1 certificates. If that's
still the case, it's way more than is reasonable to warn our users
about.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Re: The SHA1 sunset, James Cloos, 2016/01/04