Pick one that can deliver the full certificate chain without using SHA-1.
The faster the web moves away from SHA-1 the better, and rewarding companies that are already abstaining from SHA-1 contributes to our collective security, in the case of HTTPS.
You should also do it for purely selfish reasons. Chrome is sunsetting SHA-1 for use in certificate signatures, and Chrome will eventually show SHA-1 certificates as insecure. See the link below.
You should also do it for purely selfish reasons. Chrome is sunsetting SHA-1 for use in certificate signatures, and Chrome will eventually show SHA-1 certificates as insecure.
Referring specifically to this point, and not to your wider point about moving away from SHA-1, "because one browser maker said so" is rarely a good reason to do anything.
Google has an irritating habit of deciding it knows best for the entire world, but often it gets that call wrong and winds up degrading the experience for people who aren't in its chosen group of blessed users. The Firefox team are similarly arrogant at times.
However, in the real world, large organisations also use browsers to access intranet sites, and their requirements -- particularly with regards to security -- may be different to users surfing the public Web. Developers do need to do things with sites that aren't fully configured yet or are in transition from one system to another even if those things might not be a good idea when surfing the public Web. And so on.
So, I urge you to support good practices by making solid technical arguments for them. For example, in this case you could explain or link to information about why the SHA-1 issue matters for those who don't know. Please don't promote browser makers as authoritative sources of best practices instead, because often they aren't.
Correction: two browser vendors who between them have more than half of the browser share. And the solid technical argument is that SHA-1 is no longer considered secure.
They don't have a majority on any site I run, but even if they did, that wouldn't be the point. Decisions about technical matters -- and particularly about security policies -- should be made on the basis of evidence, not appeals to authority.
For example, instead of saying "it's a good idea to do this because Google will show scary messages", it would be more helpful to link to a site with a test tool and explanatory information about the underlying issue, such as this one:
Anyone serious about security would, and they'd be doing it now, not in a few months just because Google decided to show some different pixels on a screen from that date.
The faster the web moves away from SHA-1 the better, and rewarding companies that are already abstaining from SHA-1 contributes to our collective security, in the case of HTTPS.
You should also do it for purely selfish reasons. Chrome is sunsetting SHA-1 for use in certificate signatures, and Chrome will eventually show SHA-1 certificates as insecure. See the link below.
http://googleonlinesecurity.blogspot.se/2014/09/gradually-su...