On Wednesday 22 October 2014 15:54:57 Julien Pierre wrote: > Hubert, > > On 10/22/2014 05:27, Hubert Kario wrote: > > Problem is that if something doesn't work in one browser and does in > > another users blame the browser. Even if the browser that doesn't work > > does the right thing. > > What if all browsers started doing the right thing ?
That's a very hypothetical question... "What if all servers deployed TLS1.2 and refused connections with anything older?" That would also fix the problem... > > Recommending the use of obsolete browsers is also a bad idea - they have > > well known vulnerabilities. It also may simply be not possible in walled > > gardens (phones/tablets). > > Are there phone/tablets which can't install any 3rd party browsers at all ? AFAIK, iOS devices require you to use the system TLS stack. > Anyway, the very fallback we are talking about here is a known > vulnerability. > It sounds like we want a browser that is current on vulnerability fixes, > except for this one. I'm not saying it isn't. But it is behaviour that is expected by users. Just like users expect to not see "this connection is untrusted, you may be subject to MITM attack" when connecting over plain HTTP. > >> This way, browsers won't subject the requests to 99.999% of servers that > >> are not TLS-intolerant to needless MITM attacks, not to mention extra > >> network bandwidth and round trips. > > > > It's closer to below 99% or 89%, depending on which TLS version you look > > at. > Do you have any pointer to the versions and data for this 99% / 89% ? http://www.ietf.org/proceedings/90/slides/slides-90-tls-0.pdf -- Regards, Hubert Kario -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
