Thus the current scenario. Google is being aggressive, because the company has gone all-in on removing the weak points of Internet security and integrity. I've written previously about other work Google has done to improve and monitor how certificates are issued and for which domains a certificate may be deemed valid.
Mozilla is a community-driven group, and the sense of its community is that user-facing warnings shouldn't start in earnest until January 1, 2016. At that point, Firefox will tell surfers that a connection is untrusted if a SHA1-signed certificate in the chain of trust from web server to CA was issued during 2016. Starting a year later, all SHA1 certificates will be rejected. Mozilla may start showing more user warnings earlier, at its discretion.
The explorers have gone on safari and we can't find them
The shame here is that the two biggest operating system makers after Android--Apple and Microsoft--haven't made a stronger showing here. As with the Chinese CNNIC registrar's misuse of a root certificate assignment I've written about a couple of times, neither Apple nor Microsoft is currently talking publicly about its plans, putting in place a sequence, nor warning users. Microsoft last posted about this in 2013, and its plans should loosely follow Mozilla's, unless it's quietly changed them. Apple has said nothing publicly.
The trouble is that CAs are sometimes tied to giant corporations and government agencies. When they engage in revealing processes, shaming outdated and flawed security, and barring access, this can cause high-level trouble in companies that have global businesses.
But keeping silent isn't good enough in an era in which it's been verified just how much security has been broken, and new exploits are being discovered daily. Apple and Microsoft need to step up to embrace the transparency that Google and Mozilla already have.
Sign up for Computerworld eNewsletters.