Mark invalid-expected-sct and sha1-intermediate as Defunct

chromium / badssl.com

:lock: Memorable site for testing clients against bad SSL configs.

https://badssl.com

Apache License 2.0

2.83k stars 191 forks source link

Mark invalid-expected-sct and sha1-intermediate as Defunct #445

Closed christhompson closed 4 years ago

christhompson commented 4 years ago

invalid-expected-sct has expired with no way to renew it (replaced by no-sct). Similarly, sha1-intermediate will expire on May 30, 2020, and CAs can no longer issue new ones using SHA-1. This moves both to the "Defunct" section of the homepage and removes them from the dashboard.

Fixes #416

sydia1103 commented 3 years ago

@christhompson Microsoft has a internal cert generator that allows them internally to get SHA1 certs, for example update.microsoft.com was renewed with a SHA1 cert in May 2020 and that expired and was replaced with a 384 cert in April of this year. This is not useful, this is just to let you know that it is still possible to get a SHA1 somewhere.

sydia1103 commented 3 years ago

http://web.archive.org/web/20210426032119/ssllabs.com/ssltest/analyze.html?d=www.update.microsoft.com Here is the link to the web archive.

christhompson commented 3 years ago

@sydia1103 IIUC that cert is not publicly trusted/part of the WebPKI -- it is only used for Windows Update.