On Tue, 2018-06-05 at 11:41 -0500, mcatanzaro@xxxxxxxxx wrote: > On Tue, Jun 5, 2018 at 4:14 AM, Nikos Mavrogiannopoulos > <nmav@xxxxxxxxxx> wrote: > > Note that this change, if applied, includes browsers shipped by > > fedora > > (i.e., firefox). That is pretty much all or nothing plan, either we > > bump the defaults for all software, or for none. > > Nikos, I'm really surprised to see you commenting here without > saying anything for or against the change. > Surely this will break a large number of websites? I am actually very curious about the results of such a move, and know whether it is going to have a significant impact today. Debian has already tried experimenting with it: https://lists.debian.org/debian-devel/2017/08/msg00166.html > And, if not, then surely we should be able to first convince > upstream > Firefox and Chrome to drop support for TLS 1.0 and 1.1? I would not > have any objections if these upstreams were to take the step first. > Yet that seems extremely unlikely. I think the debate here is whether fedora (and in general operating systems) can afford to be stricter than the browsers. As an OS our attack surface is much larger than the browser setup, and thus it makes sense (to me), to be more careful. Can we afford to break a significant part of our users? Of course not, but I think that this change is eventually happening, especially with TLS1.3 expected to be deployed widely, and it seems to me that we only wait to see who will do the first step. regards, Nikos _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/DG6SUTE6PJIJ5PYLUM6ZSMEHFTO2SSO3/
