Chrome stop accepting SHA-1
-
-
The problem with this is that chrome makes no easy way to get around their decision.
I have some various internal things that have weak DH and i just go to IE for those now.
If chrome still had a way to get to things anyway that would be great, but they do not. Instead you have to manually launch Chrome with a switch telling it to accept the weak DH. But this then makes Chrome accept all weak DH, which defeats the purpose of not supporting this.
-
@JaredBusch said:
The problem with this is that chrome makes no easy way to get around their decision.
I have some various internal things that have weak DH and i just go to IE for those now.
If chrome still had a way to get to things anyway that would be great, but they do not. Instead you have to manually launch Chrome with a switch telling it to accept the weak DH. But this then makes Chrome accept all weak DH, which defeats the purpose of not supporting this.
Especially for just internal self signed stuff. From the way the article sounds, in 2017 it just won't let you go to it period.
I understand that in 2016 SHA 1 can't be issued but what about all of the ones issued in 2015? Now all of those certs will appear broken to people who don't know what they're looking at.
I use Firefox for all the self signed stuff because I've tried adding the certs to Chrome and I can't get it to accept them.
-
Sadly it takes hard moves like this to force us forward.
Hopefully things like this will get vendors to build better systems, but who am I kidding?
-
@Dashrender said:
Sadly it takes hard moves like this to force us forward.
Hopefully things like this will get vendors to build better systems, but who am I kidding?
And what about the installed base? This makes them fairly unusable.
-
@JaredBusch said:
@Dashrender said:
Sadly it takes hard moves like this to force us forward.
Hopefully things like this will get vendors to build better systems, but who am I kidding?
And what about the installed base? This makes them fairly unusable.
As you mentioned, there are other browsers you can use to get around these problems for now - Chrome is declaring it the safest option out there - you want to be safe, use Chrome because we don't allow you to do unsafe things.
If it was up to my boss, we'd still be running Windows XP. From a getting the job done perspective it was doing the job just fine. And to that end I agree with her. But Microsoft needs to get paid by people who use their product more than once every 10 years (though I might look the fool for saying that considering they gave away Windows 10 for free).
We have shops that build their solutions on software that has a finite working life in the current ecosystem, yet they (the solution providers) and their customers both don't take that into consideration.
Now one might argue that the solution provider does take this into consideration and fully expects their customers to rebuy when "required to" because the underlying software is considered a security risk. But we all know that this is rarely if ever the case.
Heck, we bought a Cat Scanner in 2008 that came built on Windows 2000.
-
@Dashrender said:
If it was up to my boss, we'd still be running Windows XP. From a getting the job done perspective it was doing the job just fine. And to that end I agree with her. But Microsoft needs to get paid by people who use their product more than once every 10 years.
It's not quite that. You are free to keep using XP. It keeps working. The issue is that you want continuing, active support from Microsoft both in "offering support" and in patches and in some cases, upgrades. These things are not Microsoft needing to be paid for XP, they are MS needing to be paid for providing support for a product for which they do not charge support. It's not like MS invests once and never spends money on it again. They spend a lot of money providing the stuff that makes XP "seem usable."
-
@Dashrender said:
Now one might argue that the solution provider does take this into consideration and fully expects their customers to rebuy when "required to" because the underlying software is considered a security risk. But we all know that this is rarely if ever the case.
Yes but... it makes it the customer's fault
-
@scottalanmiller said:
@Dashrender said:
Now one might argue that the solution provider does take this into consideration and fully expects their customers to rebuy when "required to" because the underlying software is considered a security risk. But we all know that this is rarely if ever the case.
Yes but... it makes it the customer's fault
What's just as bad is often the vendor doesn't have a new solution either.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
Now one might argue that the solution provider does take this into consideration and fully expects their customers to rebuy when "required to" because the underlying software is considered a security risk. But we all know that this is rarely if ever the case.
Yes but... it makes it the customer's fault
What's just as bad is often the vendor doesn't have a new solution either.
No different than offering no solution at all. It means that the vendor no longer offers a supported product. Time to move on.
