need graceful failure
It shocks me that so many folks push to just kill stuff without any sort of graceful failure. I mean in the case of SHA1 for example browsers and servers should be able to present a coherent message to the user about why things are not working.
firefox for example gives this kind of error
--
The connection to XXX was interrupted while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. (<-- could not be verified to me sounds like a ssl cert issue e.g. self signed certs, with self signed certs browsers allow me to EASILY override and accept the cert, it should allow me to do the same here!!!)
Please contact the website owners to inform them of this problem.
--
which to me is not sufficient, it should give details(or have an option to get details) as to specifically what the problem was. Was it we are now not allowing SHA1 ? or some other encryption standard? If I get the message perhaps I could contact the site owner and tell them specifically what is wrong, as-is it looks like a browser bug and I use another browser to get to the site(in this case happens to be a PDU, I assume perhaps it is using SSL v3 which maybe firefox doesn't like anymore but honestly I don't know because it doesn't tell me.).
It pisses me off to no end to see a browser update for example all of a sudden break sites that were perfectly usable in the previous version because they decided that some security standard was no longer valid. If you are going to break it the least these people can do is show a more useful error message.
Same goes for web servers / load balancers. I shouldn't get some obscure SSL connection error when connecting via SSLv3 if the remote server doesn't support it. It should accept the connection and show me something that says "sorry I can't serve you data because you are using SSLv3 and that is not secure anymore please upgrade your browser" (to-date haven't seen anything like that).