Re: [Last-Call] Next steps on Deprecation/Obsolescence of TLS 1.0/1.1 Re: [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

EXECSUM: publish. We waited too long for this.

Eric Rescorla <ekr@xxxxxxxx> wrote:
    > The general story is the same: there is increasing but far from
    > universal support for TLS 1.3 and nearly universal TLS 1.2
    > support. For instance Qualys shows 99% of Web sites
    > supporting TLS 1.2 and the vast majority of measured connections
    > look like they are 1.2 or above (eyeballing at a percent or two)

That's totally public web centric.

I read somewhere that a significant portion of TLS traffic is b2b, and
doesn't show up as "web sites".  I'm sorry, I don't have a reference, I'd
have to dig through bookmarks for a few hours.

This survey can't measure the thousands of devices that are stuck at TLS 1.0,
because the vendor's abandonned ("EOL") them in 2016 without releasing anything
significant since 2010.

For instance, two entire generations of "managed" SOHO 10/100/1000 switches.
Still perfectly serviceable.... until the browser interface fails because the
browsers decide, based upon the above survey to move on.

It's a lot of eWaste.
I specifically paid top-dollar for a device that I thought would get support
from a reputable vendor.  I installed a certificate into the device, and
bought into HTTPS everywhere, but I feel betrayed.
I feel that I should have instead planned differently.

But:
1) I'm totally in favour of this document.

2) I wish it had been done five years ago so that the vendors might have done an
   upgraded before the product was abandonned.
   Let's not wait so long again.  Let's put a deadline on TLS 1.2 support.

3) I come back to my claim that we need some kind of "iot-browser", which has a
   significantly different policy, and which is unable to talk to facebook,
   or banks.
   It would be interesting to figure out what the limitations we need to do are.

Eliot started a thread on IOTOPS about this.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@xxxxxxxxxxxx  http://www.sandelman.ca/        |   ruby on rails    [


--
Michael Richardson <mcr+IETF@xxxxxxxxxxxx>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

Attachment: signature.asc
Description: PGP signature

-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux