On Tuesday 21 October 2014 16:10:52 Julien Pierre wrote: > Hubert, > > On 10/21/2014 05:06, Hubert Kario wrote: > > Yes, it's external to the TLS, and yes, it's bad that browsers do use > > the manual fallback. Yes, the servers should be regularly updated and > > as such bugs that cause it fixed. Yes, the configurations should be > > updated to align them with current recommendations. > > > > But it doesn't happen in real world. > > > > So either we can push for policies which will never be implemented and > > be workable in real world, or we can try to make the systems secure in > > real world for people that care (both users and server admins that > > do apply updates regularly). > > > > Yes, I'd like to live in a world where it's not necessary, but we don't. > > IMO, reasonable decisions can be made to drop support for TLS intolerant > servers. > > Those who have legacy devices that can't be updated could still use > legacy browsers to connect to them, or there could be an explicit legacy > mode of operation in current browsers that preserves it. Problem is that if something doesn't work in one browser and does in another users blame the browser. Even if the browser that doesn't work does the right thing.
Recommending the use of obsolete browsers is also a bad idea - they have well known vulnerabilities. It also may simply be not possible in walled gardens (phones/tablets). > This way, browsers won't subject the requests to 99.999% of servers that > are not TLS-intolerant to needless MITM attacks, not to mention extra > network bandwidth and round trips. It's closer to below 99% or 89%, depending on which TLS version you look at. It's rare, but it's not unheard of, and that's internet facing dedicated web servers. I'm afraid what the statistics would be for devices where the TLS part is secondary (routers/automation systems/smart devices/etc.) which we can't really probe. -- Regards, Hubert Kario -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
