Us geeks and IT professionals who visit this website do not need convincing. Who here loves outdated insecure crappy software? Ok there are some who use XP still who do not like change but are in the minority.
THe problem is no value in IT in business infrastructure or processes. We all experienced it some time in our career. We are outsourced, not invited to meetings that we would be in dealing with IT, dictated too, forced to learn Cobol, Java, IE 6 stuff, and to keep unpatched systems secure somehow.
Sha-1 is not going anywhere where I work. IE 6 is too ingrained and our customers use it. So we use insecure IE 6 + insecure Server 2003 to process our HIPA and credit card data where we are fired if a security breach takes place. Sha-1 is required for the glue to hold most of our customer systems in place.
We are never invited to the meetings for these requirements. We are a cost. We are told I promised the client it will be done in 48 HOURS!! My company is the smae as the last one where we outsource everything for the cheapest bidder too for the work. At least the employer presently does not go to that extreme when they promise a client a months worth of work must be done in 72 hours.
Anyway our MBA's do not know what a Sha-1 is?? They do not care as IT is plumbing. As long as no water is leaked never replace the pipes. THe problem is if we dictate to the customer NO USE SHA-2 and update your mission criticial $1.5 million dollar app they will give us the finger and go to a competitor.
Until IT is respected like it was back in the 1990's as part of the business process team to help the organization perform it's functions SHa-1 will be like Java/Cobol and never be updated no matter how many geeks whine.
If java 8 stops sha1 or MD5 signing then we will use an insecure version. HR will fire me if I break their apps so what choice do I have?