On 06/07/2014 20:41, Yaron Sheffer wrote: > Hmmm, surprisingly the answer to Stephen's question is, essentially no. > We're now at 60% TLS 1.0-only.
According to SSL Pulse data, 25.7% supported TLS 1.2 in January, and 37% in June. It will be 38.5% in July. So there's been a significant change. As to why my numbers are different to those Julien publisher, it will come down to the differences in data sets and the scanning methodology. Just as an illustration, I accept only valid certificates in my survey, but there's no mention of validation in Julien's post. > Thanks, > Yaron > > On 07/06/2014 10:35 PM, Ivan Ristić wrote: >> On 06/07/2014 20:31, Stephen Farrell wrote: >>> >>> >>> On 06/07/14 20:29, Yaron Sheffer wrote: >>>> Adding some data to my previous mail: >>>> >>>> As of Jan. 2014, 65% of the top 1M Web servers did not speak TLS 1.1 or >>>> 1.2 [1]. So while we should move implementations to TLS 1.2 (as we >>>> do in >>>> this draft), it is probably too early to mandate against the >>>> fallback to >>>> TLS 1.0. >>> >>> I wonder if that's changed post-heartbleed? I suspect it may well >>> have but no idea by how much. Anyone know? >> >> Monthly stats are available from SSL Pulse: >> >> https://www.trustworthyinternet.org/ssl-pulse/ >> >> There might be some problems currently when viewing the site in Firefox >> on Windows. Please use another browser if you can. I'll report the >> problem. >> >> If you'd like to see some stats that are currently not available, let me >> know. CVE-2014-0224 stats will be available in a couple of days. >> >> >> >>> S. >>> >>>> >>>> Thanks, >>>> Yaron >>>> >>>> [1] https://jve.linuxwall.info/blog/index.php?post/TLS_Survey >>>> >>>> On 07/06/2014 10:09 PM, Yaron Sheffer wrote: >>>>> Hi Trevor, thanks for your review. Please see my comments in line. >>>>> >>>>> On 06/30/2014 09:11 PM, Trevor Freeman wrote: >>>>>> General Comments. >>>>>> >>>> [...] >>>> >>>>>> >>>>>> Section 3.2 still treats SSL 3.0 differently to TLS 1.0. Why is it >>>>>> ok to >>>>>> fall back to TLS 1.0 but not SSL 3.0 if both offer the same security? >>>>> >>>>> This is a good question. I believe the answer is, because much of the >>>>> server population still only supports TLS 1.0, and if we recommend >>>>> otherwise, the recommendation will be ignored for (justified) >>>>> interoperability reasons. But I may be wrong about the prevalence of >>>>> such servers. >>>>> >>>> [...] >>>> >>>> _______________________________________________ >>>> Uta mailing list >>>> [email protected] >>>> https://www.ietf.org/mailman/listinfo/uta >>>> >>>> >>> >>> _______________________________________________ >>> Uta mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/uta >>> >> >> -- Ivan _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
