sha-1 cert support is vulnerable to collision attacks and is being deprecated (https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/). We should make sure all parts of our product delivery pipeline are not using sha-1. We're taking care of the update server and code signing in bugs 1116409 and 1079858 respectively, and I think www.mozilla.org and download.mozilla.org are the last pieces.
Right now I am proposing to do this when the current certificate expire at the end of 2015 and end XP SP2 suppot completely when moving to VS2015 next year.
bug 1064387 was filed awhile back about this, and has a lot more background.