
As sites move to SHA2 encryption, millions face HTTPS lock-out - jrochkind1
http://www.zdnet.com/article/as-sha1-winds-down-sha2-leap-will-leave-millions-stranded/
======
theandrewbailey
SHA2 software compatibility:
[https://support.globalsign.com/customer/portal/articles/1499...](https://support.globalsign.com/customer/portal/articles/1499561-sha-256-compatibility)

------
Ninn
Nice title, does anyone have a paper explaining how to encrypt things with
SHA1 and SHA2 perhaps? I guess not?

Would be good with some sources that what the hell they are talking about.

~~~
xenophonf
You can't encrypt things using a cryptographic hash function:

[https://en.wikipedia.org/wiki/Cryptographic_hash_function](https://en.wikipedia.org/wiki/Cryptographic_hash_function)

The first part of the article talks about CAs no longer signing certificates
using SHA1. That means older browsers or crypto libraries won't be able to
verify a CA's SHA2 signature on certificates issued after January 1, 2016.
Users running these older browsers or crypto libraries who connect to web
sites using SHA2-signed certificates will get an error similar to the error
they receive when connecting to web sites that use self-signed certificates.

The second part of the article talks about modern web browsers throwing an
error when connecting to web sites that use SHA1-signed certificates, similar
to the error users receive when connecting to web sites that use self-signed
certificates.

It's a damn shame that X.509v3 doesn't support multiple signatures on a single
certificate. That would really ease the transition to new signing algorithms.
I can't really fault the CAs or browser developers here because X.509 doesn't
facilitate forwards compatibility.

~~~
ddp
Too bad we're stuck with ASN.1 in general, if you ask me. :-)

