I'd encourage you to try get people to be open about
things here - there's no particular shame in having 10% TLSv1.0
sessions after all:-)
It isn't a question of shame but it is just a bit too much information
to provide a potential adversary. That is, to say that Stock Exchange XYZ
has n% of TLS1.0 clients provides a potential attacker too much
information.
Not sure I agree there tbh. If they're externally visible
services, then it's public already. If they're not, and the
attacker is inside the n/w, then the bad actor can find it
out then. But I do understand organisations being shy about
such things.
Having gone through this exercise recently, I agree with Nalini on why
people would not want to report openly.
For a typical enterprise, 10% TLS 1.0 in the internal network could well
mean that 10% of your servers are Java boxes that have not been updated
in the last two years (and so are riddled with vulnerabilities that are
much more severe than the old TLS version). Absolutely a good reason to
be ashamed :-) and certainly not information that you'd want to share
openly.
Thanks,
Yaron
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
