Hubert,
On 10/21/2014 05:06, Hubert Kario wrote:
Yes, it's external to the TLS, and yes, it's bad that browsers do use
the manual fallback. Yes, the servers should be regularly updated and
as such bugs that cause it fixed. Yes, the configurations should be
updated to align them with current recommendations.
But it doesn't happen in real world.
So either we can push for policies which will never be implemented and
be workable in real world, or we can try to make the systems secure in
real world for people that care (both users and server admins that
do apply updates regularly).
Yes, I'd like to live in a world where it's not necessary, but we don't.
IMO, reasonable decisions can be made to drop support for TLS intolerant
servers.
Those who have legacy devices that can't be updated could still use
legacy browsers to connect to them, or there could be an explicit legacy
mode of operation in current browsers that preserves it.
This way, browsers won't subject the requests to 99.999% of servers that
are not TLS-intolerant to needless MITM attacks, not to mention extra
network bandwidth and round trips.
Julien
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
