On 2/12/2025 8:15 AM, William Herrin wrote:
And then of course there's the completely fair question of whether
it's sensible to forcibly deprecate older security protocols when
accessing information that's also offered over fully unencrypted
channels. Confidentiality, Integrity AND Availability. Lotta wounds to
availability from forced deprecation. Whole lot.
The software has no concept of what the data is and must provide the
user the desired confidentiality and integrity, which unfortunately
means forced deprecation and possible lack of Availability. This also
applies to features such as HTTPS RRs in DNS that aren't always
configured correctly and ECH prohibits fallback when it breaks; choosing
security over availability.
I do wish browsers were better at explaining why something breaks,
though. It's especially bad with embedded content where it just doesn't
work and even dev tools might show "server disconnected prematurely" or
something similar.
Jack
