SHA-1 Deprecation: No Browser Left Behind

Starting January 1, 2016, most certificate authorities will no longer issue new SSL certificates that use the SHA-1 hash algorithm due to its vulnerability to potential collision attacks. While this move is necessary for maintaining security on the modern internet, it could potentially cut off millions of users in developing countries who are still using older devices and browsers without support for the more secure SHA-256 (SHA-2) algorithm. To address this issue, Cloudflare has introduced a feature that allows its paid customers to automatically fall back to serving SHA-1 signed certificates for legacy browsers while continuing to use SHA-256 for modern ones. Other companies like Alibaba and Facebook also support SHA-1 fallback on their websites. The industry is urged to adopt the proposal of creating a new Legacy Verified (LV) certificate class that allows legacy signature protocols, such as SHA-1, but only be issued to organizations that properly issue certificates based on modern protocols for modern browsers while falling back for legacy ones.