SHA-1 is actually planned on being phased out by Microsoft, Google Chrome, and Mozilla before the end of 2017. Certainly a strange choice to continue using it in a new login/auth system with its end of life coming up relatively soon.
SHA-1 is definitely a lot weaker than its newer counterparts, but a huge portion of the internet is still using it despite having known weaknesses for a decade. There is little reason to continue using it, because better alternatives are widely supported.
The deprecation policies from MS, Google, and Mozilla should help to push that along. Especially with Chrome beginning to put warnings on sites that continue using weak, obsolete encryption methods.
Footsteps Of War [FoW] | Yak’s Bend
Seer Of The Divine | Sarina Starlight | Tireasa | Caedyra
Yeah, I also noticed that the ciphersuite I’m seeing is AES128-CBC, even with new versions of Firefox and Chrome; AES128-GCM would be preferable. Also, yes, as the OP mentioned, ECDHE key-exchange.
Ideally I’d like to see ECDHE-RSA-AES256-GCM-SHA384 or ECDHE-ECDSA-AES256-GCM-SHA384.
Kati Kainulainen – Norn warrior | Irina Kuznetsova – Human elementalist
Baghaar Ironfang – Charr guardian | Maja Sigurdsdottir – Norn ranger
Tarnished Coast
