Just noticed all four certs in the chain on https://www.microsoft.com use SHA1. The root cert, "Baltimore CyberTrust Root", expires in 2025. Will root CAs also have to be replaced by 2016?

The relative urgency around this cutoff comes off as panick-y to me. They never seemed to bother updating roots or add SNI support for older, still supported OSes like WinXP.