All XP users (including the zillions of pirated ones) can and should upgrade to SP3, free. That leaves aside the question of whether they should still be on the internet, sitting and waiting for the exploit which enables the next "Sapphire". That is going to be a fun day. I'll bring marshmallows.
The situation with Android, vendors, old versions, device abandonment and lack of security patches is terribly disappointing across the ecosystem. It does not have the same excuse of age that Windows XP does. I'm not sure how to remedy that, and I'm not even completely sure why it happened in the first place except for the melting pot of: carriers wanting complete images to test and to remain completely stable (big mistake: most software really needs security patches deployable globally within hours!); SoC vendors with closed-source binary blob drivers, and this being tolerated in the ecosystem (big mistake: this means when it's dead to the vendor it's dead to everyone, because ABI changes); and versions with high minimum memory requirements (which is improving recently, but I feel if you can't go back and run it on the ADP1, and it doesn't run worse than it ever did, you're still not really done with that yet). Projects like CyanogenMod at least help there.
I agree it is shocking how many are still out there, but given the choice between "HTTPS being secure" and "supporting insanely old/insecure software", choosing the latter seems like the kind of choice people will vividly remember when they come to regret it later.
> choice between "HTTPS being secure" and "supporting insanely old/insecure software",
I think there are really three outcomes:
1. HTTPS is widely used, it's secure, insanely old/insecure software is not supported. (Ideal outcome)
2. HTTPS is widely used, but using SHA1 certs for a little longer so that insanely old/insecure software is supported.
3. HTTPS is less widely used, but is secure with SHA2 certs, and insanely old/insecure software is still supported.
My concern (and Matthew's too I think) is that the aggressive deprecation of SHA1 will put us on a trajectory to outcome 3. We're at a unique point in history right now: there is incredible momentum behind converting sites to HTTPS, even sites that traditionally would not have used HTTPS (such as all static sites). The SHA1 deprecation might throw a wrench into this and cause site operators to reconsider switching to HTTPS. If not for this momentum, I'd agree that aggressively deprecating SHA1 would be the clearly correct course of action, but at this moment in history I'm deeply ambivalent. Disrupting the HTTPS momentum would be very sad, especially since switching to HTTPS provides an immediate defense against mass passive eavesdropping.
The situation with Android, vendors, old versions, device abandonment and lack of security patches is terribly disappointing across the ecosystem. It does not have the same excuse of age that Windows XP does. I'm not sure how to remedy that, and I'm not even completely sure why it happened in the first place except for the melting pot of: carriers wanting complete images to test and to remain completely stable (big mistake: most software really needs security patches deployable globally within hours!); SoC vendors with closed-source binary blob drivers, and this being tolerated in the ecosystem (big mistake: this means when it's dead to the vendor it's dead to everyone, because ABI changes); and versions with high minimum memory requirements (which is improving recently, but I feel if you can't go back and run it on the ADP1, and it doesn't run worse than it ever did, you're still not really done with that yet). Projects like CyanogenMod at least help there.
I agree it is shocking how many are still out there, but given the choice between "HTTPS being secure" and "supporting insanely old/insecure software", choosing the latter seems like the kind of choice people will vividly remember when they come to regret it later.