Adding an attack checking for certificates using SHA-1

[yzninja]

I'd like to request addition of an an attack or feature that checks for certificates that use the SHA-1 hash algorithm.

I notice Google will soon be warning users in Chrome (v41) of certificates using SHA-1 that expire after 1 January 2016. http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html

My suggested implementation for SHA-1 certificates is:

• [WARNING] message for certificates expiring after 1 Jan 2016 but before 1 Jan 2017.
• [ERROR] message for certificates expiring after 1 Jan 2017 (to make maintenance of messages easier you could check the current date, and if it's after 1 Jan 2017 and a SHA-1 unexpired certificate is found raise [CRITICAL] message)

There shouldn't be too many certificates still using MD5, but it would be good to throw a message if one is found. Suggested implementation:

• [CRITICAL] if any MD5 certificates are found

PS. Mozilla I believe is doing something similiar in Firefox. https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

[yzninja]

PS.2. Sorry I'm not a GitHub ninja - how do I tag this as an "enhancement"?