Hubert,
On 10/22/2014 05:27, Hubert Kario wrote:
Problem is that if something doesn't work in one browser and does in another
users blame the browser. Even if the browser that doesn't work does the right
thing.
What if all browsers started doing the right thing ?
Recommending the use of obsolete browsers is also a bad idea - they have well
known vulnerabilities. It also may simply be not possible in walled gardens
(phones/tablets).
Are there phone/tablets which can't install any 3rd party browsers at all ?
Anyway, the very fallback we are talking about here is a known
vulnerability.
It sounds like we want a browser that is current on vulnerability fixes,
except for this one.
That would seem to make the case for some sort of "legacy mode" in
current browsers.
This way, browsers won't subject the requests to 99.999% of servers that
are not TLS-intolerant to needless MITM attacks, not to mention extra
network bandwidth and round trips.
It's closer to below 99% or 89%, depending on which TLS version you look at.
Do you have any pointer to the versions and data for this 99% / 89% ?
It's rare, but it's not unheard of, and that's internet facing dedicated web
servers. I'm afraid what the statistics would be for devices where the TLS
part is secondary (routers/automation systems/smart devices/etc.) which we
can't really probe.
For legacy devices, a "legacy mode" in the browser seems most appropriate.
Julien
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
