One question that I think makes sense to ask is, odd this the right metric? Eliot suggested that maybe what we mean by obsolete is that orgs should start phasing it out, not that they are done phasing it out. I think I agree. On Dec 7, 2020, at 07:45, Eric Rescorla <ekr@xxxxxxxx> wrote:
EXECSUM: publish. We waited too long for this.
Eric Rescorla <ekr@xxxxxxxx> wrote:
> The general story is the same: there is increasing but far from
> universal support for TLS 1.3 and nearly universal TLS 1.2
> support. For instance Qualys shows 99% of Web sites
> supporting TLS 1.2 and the vast majority of measured connections
> look like they are 1.2 or above (eyeballing at a percent or two)
That's totally public web centric.
I read somewhere that a significant portion of TLS traffic is b2b, and
doesn't show up as "web sites". I'm sorry, I don't have a reference, I'd
have to dig through bookmarks for a few hours.
This survey can't measure the thousands of devices that are stuck at TLS 1.0,
because the vendor's abandonned ("EOL") them in 2016 without releasing anything
significant since 2010.
For instance, two entire generations of "managed" SOHO 10/100/1000 switches.
Still perfectly serviceable.... until the browser interface fails because the
browsers decide, based upon the above survey to move on.
We didn't make our decisions based on this survey. We based them on our own measurements of how much TLS traffic < 1.2 we were seeing, which also includes the non-public Web. If you look upthread you'll see Eliot complaining that that's too Firefox centric, so I provided the papers listed above.
-Ekr
|
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
