TLS Certificate Optimization: The Technical Details behind "No Browser Left Behind"

Cloudflare has implemented a "no browser left behind" initiative, serving over 500 billion SHA-1 certificates to visitors who otherwise would not have been able to communicate securely with their customers' sites using HTTPS. The company continues to present newer SHA-2 certificates to modern browsers using the latest in elliptic curve cryptography. Cloudflare has developed a logic tree for determining which certificate to present and, relatedly, which cipher suite to use during the SSL/TLS handshake process. This logic takes into account various factors such as plan type, presence of signature_algorithm extension, specific signature_algorithms, shared cipher suites, server_name_indication extension, and Legacy Browser Support settings in the Cloudflare dashboard.