Hacker News new | comments | show | ask | jobs | submit login

Not responding directly to your point (that this might make the Internet less secure), but there is also another approach -- deploying with two certificates. You can have a RSA/SHA1 certificate for older software and an ECDSA/SHA256 certificate for modern user agents. That should keep everyone happy. I dare say that, with some effort, it might even be possible to have a RSA/SHA1 and RSA/SHA256 certificate combination for the same host.

Of course, doing that is a lot of work. But at least your company is in a position to do the work once and automate it afterwards for all your customers.




Yes, that's what we're doing at CloudFlare. However, the patches to do it in major web server platforms are best characterized as "experimental" -- which is spooky for organizations to deploy into production environments. (We plan on open sourcing any work we do to improve them.) But, given how hard it is for most web admins to even manage one certificate, configuring a server to correctly manage two is... daunting. As you suggest, this change is undoubtedly good for our business, but I think it's bad for the web.


Although I'm an AGL fanboy (I have his rookie card) I have to agree with Matthew here. Pushing the transition this fast, just when the world is on the verge of accepting HTTPS as the default, is reckless and will overall reduce the safety of the Internet.

FYI, we are deploying in the same manner as Cloudflare, with RSA/SHA1 and ECDSA/SHA256 side-by-side. We are committing our changes to the public ATS repository and hopefully those changes are useful to other projects. Unfortunately this is dependent on OpenSSL 1.0.2, so we might have to deploy beta code into production if the OpenSSL project can't beat Chrome's arbitrary deadline.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: