I'd like to distinguish between two different questions:
1. Whether or not the IETF should recommend that people stop using older
versions of TLS.
2. Whether or not vendors should stop accepting/supporting older versions
The former one of these is just exhorting people to stop, which people can
comply with or not. The latter has real impact, especially for something
like a browser where ou (and counterparties) just get involuntarily
In the latter situation, we need to be pretty sensitive to wide use to
avoid bricking people. In the former situation, however, part of the
purpose of the IETF deprecating these protocols is to tell people who
haven't gotten off that we think they should, and that's a judgement partly
driven by uses (otherwise you look silly) but not entirely so. Given that
there is a good alternative (i.e., TLS 1.2) that's straightforward to
deploy, I'm not sure that the fact that a lot of people are running downrev
versions means we shouldn't say that the IETF no longer considers that good.
On Wed, Jul 11, 2018 at 2:50 AM, Stephen Farrell <stephen.farr...@cs.tcd.ie>
> On 11/07/18 06:45, nalini elkins wrote:
> > Stephen,
> >> I'd love to add more detail like that and/or more sections for other
> > protocols if folks have data to offer with references.
> > I believe that I can reach out to various people I know. Please comment
> > if my methodology is acceptable and if you think this will be helpful.
> It's not whether the methodology is acceptable to me or not
> but whether or not the references to the numbers are credible
> for readers:-)
> A few comment below,
> > I am thinking the following:
> > Location: U.S. / Canada (possibly U.K.)
> > - 3 banks (hopefully from the top 5)
> > - 3 large insurance companies (includes back end processing)
> > - 3 U.S. federal government agencies
> > - 3 companies in the Wall Street / Stock brokerage sector (includes back
> > end processing)
> > - 3 large credit card / processors (ex. Visa, Discover, MasterCard,
> > - 3 in the retail sector (Home Depot, Target, Lowes, et al)
> Those are pretty small numbers unless they're interacting with
> a lot of TLS services. It'd be hard to know if they'd be
> representative of something or not if they're anonymised in the
> results. I'd encourage you to try get people to be open about
> things here - there's no particular shame in having 10% TLSv1.0
> sessions after all:-)
> > Note: I put in "back end processing" because these are the folks that
> > often have many connections to other business partners and so in some
> > have the most complex systems to deal with.
> > Note #2: This is aspirational! I hope I can get all these people to
> > cooperate. I will try at least to get some in each category.
> > I will ask them the following questions:
> > 1. How many applications do you have? (This may end up being only the
> > mission critical ones as otherwise it may be too hard to obtain.)
> I'm not sure that's so interesting for this question. And I'm not
> sure that different people would count things as applications in
> the same way.
> > 2. How many are using TLS and how many are still plain text? (We will
> > disregard SSH and other such variants.)
> Again, that's not so interesting here.
> > 3. What percent of clients are using a pre-TLS1.2 version? (This will
> > an estimation.
> I don't see why this needs to be estimated, this is kinda the key
> measurement needed and easy to measure. There should be no need for
> anyone to stick their thumb in the air for this:-)
> It'd be good to distinguish TLSv1.0 from TLSv1.1 (and SSLv3 and
> TLSv1.3) and to say for how many TLS sessions or hosts/IPs the
> figures apply.
> And of course providing as much context as possible so that it's
> possible to understand the numbers and whether or not the numbers
> from different sources are based on the same or different kinds of
> > 4. Do you have an active project to migrate off of older versions of
> > 5. What do you estimate your percent of clients using pre-TLS1.2
> > to be next year?
> I don't see how this'd be so useful. Aaking about the historic and
> current rates of change of use of the various protocol versions would
> be good though if people have that, but they may not.
> > Please let me know if this will be of use & if you have suggestions for
> > improvement.
> > Thanks,
> > Nalini
> > On Tue, Jul 10, 2018 at 1:51 PM, Stephen Farrell <
> > wrote:
> >> Hi Nalini,
> >> On 10/07/18 04:50, nalini elkins wrote:
> >>> It would be nice to see some of this reflected in the draft rather than
> >>> only statistics on browsers. The real usage of these protocols is far
> >>> more complex.
> >> I didn't have time before the I-D cutoff but have since
> >> added a section on mail to the repo pre-01 version. (See
> >>  section 3.2.) I'd love to add more detail like that
> >> and/or more sections for other protocols if folks have
> >> data to offer with references.
> >> Consistent with other folks' numbers sent to the list
> >> yesterday, (though based on a much smaller sat of data I
> >> guess;-) my data shows 10.6% use of TLSv1.0 when talking
> >> SMTP/IMAP/POP (or HTTP) over TLS to a population of ~200K
> >> IP addresses that listen on port 25 (mail servers).
> >> What I don't currently have is a rate of change for that
> >> figure. I think that rate of change is the important number
> >> for figuring out what to do in the next while. E.g. The
> >> WG might conclude that if the percentage of TLSv1.0 is
> >> moving down nicely, we should be a bit patient. If it's
> >> not moving at all, we can probably move now or in 5 years
> >> without that being different. If we're not sure, then get
> >> more data...
> >> Cheers,
> >> S.
> >> 
> >> https://github.com/sftcd/tls-oldversions-diediedie/blob/mast
> >> er/draft-moriarty-tls-oldversions-diediedie.txt
> TLS mailing list
TLS mailing list