Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Update language to emphasize that core goal is allowing SHA-1 to be deprecated #25
@schoen kindly emailed me to make sure I knew, and the site conveyed, that the dangers of SHA-1 won't be gone -- even for site owners that upgrade to SHA-2 -- until SHA-1 is widely deprecated and untrusted by exploitable systems. With his permission, I've included his email here:
To which I asked: "How can an attacker who can generate SHA-1 collisions make a fake cert for a cite using SHA-256? And if that's true, how does updating to SHA-256 help anybody?"
I'll update the copy to make this point more clear, and to link to http://www.win.tue.nl/hashclash/rogue-ca/, which is an excellent depiction of the problem.