Right now all our web sites use SHA-1-based certificates from Gandi. Those are being gradually deprecated in favor of SHA-2. Chrome will start showing warnings over the next few months for any site using a SHA-1 certificate that expires in 2017. Probably something similar will happen with other browsers.

Gandi now allows use of SHA-2 for certificates, so we should switch to that. More info:
https://shaaaaaaaaaaaaa.com/
https://www.gandi.net/news/en/2014-10-21/2460-sha-2_certificates_are_now_available/
https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1

As a side note, there are a couple of other issues present (POODLE and other nasty stuff):
[MB] https://www.ssllabs.com/ssltest/analyze.html?d=musicbrainz.org&hideResults=on
[CB] https://www.ssllabs.com/ssltest/analyze.html?d=critiquebrainz.org&hideResults=on