SHA-1 is marked for death by many industry giants like G**gle and Mozilla, which will impact many casual users who just trust whatever their browsers tell them is safe/unsafe. In my case, organizational networking/security policy is soon going to block SHA-1 except for an administrator-maintained whitelist, which means no user-added exceptions.

A search for "SHA-1" in these forums only brought up one post in a SETI thread, so I wonder if this is even on the radar for the folks who maintain this website. Perhaps the *.berkeley.edu TLD has some bureacratic baggage that the BOINC department can't control?

There is a recent post from David Anderson that he is aware of the issue but as you said there is some level of bureaucracy involved which I guess means nagging people until you get the thing you want.

Thanks for updating the certificate to use SHA256 as the hashing function!
But any info about updating the SSL/TLS settings? Right now it supports some obsolete and insecure cipher suites, see my previous article:
https://boinc.berkeley.edu/dev/forum_thread.php?id=11261

It took quite some convincing to get Berkeley thus far to get those certificates, especially for Seti@Home. There they also want to change the downloads to HTTPS but lack the necessary certificates for that, so a new fight ensues.

---

It seems the only problem with boinc.berkeley.edu configuration is support of the RC4 cipher. If that gets disabled the ssllabs grade should be an A. Which is fine in my opinion.

Isn't that to make sure older Android/Windows versions can still get onto these forums?

---

According to a CloudFlare Blog article (2 years old) "older Android/Windows" means in this case:

• "candy bar" style phones (Nokia 6120 classic, Lemon T109, Sony Ericscon K310)
  
• old browser like iCab 2.9.9 or Internet Explorer 5/6
  

I don't think there is anyone with those devices who wants to look stuff up here.

According to SSLLabs RC4 is used by XP/IE8, which is the last IE that XP can be upgraded to. We could ask David to check the database to see how many people use that combination to come here, if the database registers that.

(Edit: I emailed him)

---

If Firefox and/or other browsers run on XP and support modern encryption, why should anyone make special concessions to those who want to use IE8?

Sniff.
https://github.com/BOINC/boinc/commit/0bc9b0264081a0b338d7731e45f854917b966e86
BOINC web: don't show mediawiki pages as https; doesn't work
When one goes from the User Manual loaded via HTTPS to some of the sub-pages, CSS refuses to load because links it loads the Monobook skin from are HTTP only. So then Firefox shows a mixed content warning in Developer->Inspector and pages do load but without any CSS.

Of course, for David it's easier to not make the User Manual (and other pages) work with HTTPS than to try to make Apache work with it all around the domain.

So, soon in a Firefox around the corner:
https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/
To continue to promote the use of HTTPS and properly convey the risks to users, Firefox will eventually display the struck-through lock icon for all pages that don’t use HTTPS, to make clear that they are not secure. As our plans evolve, we will continue to post updates but our hope is that all developers are encouraged by these changes to take the necessary steps to protect users of the Web through HTTPS.

---