> choice between "HTTPS being secure" and "supporting insanely old/insecure software",
I think there are really three outcomes:
1. HTTPS is widely used, it's secure, insanely old/insecure software is not supported. (Ideal outcome)
2. HTTPS is widely used, but using SHA1 certs for a little longer so that insanely old/insecure software is supported.
3. HTTPS is less widely used, but is secure with SHA2 certs, and insanely old/insecure software is still supported.
My concern (and Matthew's too I think) is that the aggressive deprecation of SHA1 will put us on a trajectory to outcome 3. We're at a unique point in history right now: there is incredible momentum behind converting sites to HTTPS, even sites that traditionally would not have used HTTPS (such as all static sites). The SHA1 deprecation might throw a wrench into this and cause site operators to reconsider switching to HTTPS. If not for this momentum, I'd agree that aggressively deprecating SHA1 would be the clearly correct course of action, but at this moment in history I'm deeply ambivalent. Disrupting the HTTPS momentum would be very sad, especially since switching to HTTPS provides an immediate defense against mass passive eavesdropping.
I think there are really three outcomes:
1. HTTPS is widely used, it's secure, insanely old/insecure software is not supported. (Ideal outcome)
2. HTTPS is widely used, but using SHA1 certs for a little longer so that insanely old/insecure software is supported.
3. HTTPS is less widely used, but is secure with SHA2 certs, and insanely old/insecure software is still supported.
My concern (and Matthew's too I think) is that the aggressive deprecation of SHA1 will put us on a trajectory to outcome 3. We're at a unique point in history right now: there is incredible momentum behind converting sites to HTTPS, even sites that traditionally would not have used HTTPS (such as all static sites). The SHA1 deprecation might throw a wrench into this and cause site operators to reconsider switching to HTTPS. If not for this momentum, I'd agree that aggressively deprecating SHA1 would be the clearly correct course of action, but at this moment in history I'm deeply ambivalent. Disrupting the HTTPS momentum would be very sad, especially since switching to HTTPS provides an immediate defense against mass passive eavesdropping.