Stephen, Sorry for the late reply. I was travelling to Montreal from India and was jet lagged.
> >> I am thinking the following: >> >> Location: U.S. / Canada (possibly U.K.) >> >> - 3 banks (hopefully from the top 5) >> - 3 large insurance companies (includes back end processing) >> - 3 U.S. federal government agencies >> - 3 companies in the Wall Street / Stock brokerage sector (includes back >> end processing) >> - 3 large credit card / processors (ex. Visa, Discover, MasterCard, etc.) >> - 3 in the retail sector (Home Depot, Target, Lowes, et al) >Those are pretty small numbers unless they're interacting with >a lot of TLS services. It'd be hard to know if they'd be >representative of something or not if they're anonymised in the >results. I would expect that these people would have quite a few applications using TLS. Telnet, FTP, MQSeries, SMTP, and many written by the organization itself. What numbers do you feel WOULD be representative? > I'd encourage you to try get people to be open about > things here - there's no particular shame in having 10% TLSv1.0 > sessions after all:-) It isn't a question of shame but it is just a bit too much information to provide a potential adversary. That is, to say that Stock Exchange XYZ has n% of TLS1.0 clients provides a potential attacker too much information. As I say, most organizations that I know are trying very hard to migrate from older versions. It is not as simple as it might seem. If the organizations need to be identified by name, then I think this will be a show stopper for any kind of data that I might be able to provide. Having said that, I completely understand (and share) your distrust of anonymous data. I am at a loss as to how to proceed. I am open to any constructive suggestions. Thanks, Nalini On Wed, Jul 11, 2018 at 5:50 AM, Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote: > > Hiya, > > On 11/07/18 06:45, nalini elkins wrote: > > Stephen, > > > >> I'd love to add more detail like that and/or more sections for other > > protocols if folks have data to offer with references. > > > > I believe that I can reach out to various people I know. Please comment > > if my methodology is acceptable and if you think this will be helpful. > > It's not whether the methodology is acceptable to me or not > but whether or not the references to the numbers are credible > for readers:-) > > A few comment below, > > > > > I am thinking the following: > > > > Location: U.S. / Canada (possibly U.K.) > > > > - 3 banks (hopefully from the top 5) > > - 3 large insurance companies (includes back end processing) > > - 3 U.S. federal government agencies > > - 3 companies in the Wall Street / Stock brokerage sector (includes back > > end processing) > > - 3 large credit card / processors (ex. Visa, Discover, MasterCard, > etc.) > > - 3 in the retail sector (Home Depot, Target, Lowes, et al) > > Those are pretty small numbers unless they're interacting with > a lot of TLS services. It'd be hard to know if they'd be > representative of something or not if they're anonymised in the > results. I'd encourage you to try get people to be open about > things here - there's no particular shame in having 10% TLSv1.0 > sessions after all:-) > > > > > Note: I put in "back end processing" because these are the folks that > most > > often have many connections to other business partners and so in some > ways > > have the most complex systems to deal with. > > > > Note #2: This is aspirational! I hope I can get all these people to > > cooperate. I will try at least to get some in each category. > > > > > > I will ask them the following questions: > > > > 1. How many applications do you have? (This may end up being only the > > mission critical ones as otherwise it may be too hard to obtain.) > > I'm not sure that's so interesting for this question. And I'm not > sure that different people would count things as applications in > the same way. > > > 2. How many are using TLS and how many are still plain text? (We will > > disregard SSH and other such variants.) > > Again, that's not so interesting here. > > > 3. What percent of clients are using a pre-TLS1.2 version? (This will > be > > an estimation. > I don't see why this needs to be estimated, this is kinda the key > measurement needed and easy to measure. There should be no need for > anyone to stick their thumb in the air for this:-) > > It'd be good to distinguish TLSv1.0 from TLSv1.1 (and SSLv3 and > TLSv1.3) and to say for how many TLS sessions or hosts/IPs the > figures apply. > > And of course providing as much context as possible so that it's > possible to understand the numbers and whether or not the numbers > from different sources are based on the same or different kinds of > measurement. > > > > > 4. Do you have an active project to migrate off of older versions of > TLS? > > Sure. > > > > > 5. What do you estimate your percent of clients using pre-TLS1.2 > versions > > to be next year? > > I don't see how this'd be so useful. Aaking about the historic and > current rates of change of use of the various protocol versions would > be good though if people have that, but they may not. > > S. > > > > > > > Please let me know if this will be of use & if you have suggestions for > > improvement. > > > > Thanks, > > Nalini > > > > > > > > > > On Tue, Jul 10, 2018 at 1:51 PM, Stephen Farrell < > stephen.farr...@cs.tcd.ie> > > wrote: > > > >> > >> Hi Nalini, > >> > >> On 10/07/18 04:50, nalini elkins wrote: > >>> It would be nice to see some of this reflected in the draft rather than > >>> only statistics on browsers. The real usage of these protocols is far > >>> more complex. > >> > >> I didn't have time before the I-D cutoff but have since > >> added a section on mail to the repo pre-01 version. (See > >> [1] section 3.2.) I'd love to add more detail like that > >> and/or more sections for other protocols if folks have > >> data to offer with references. > >> > >> Consistent with other folks' numbers sent to the list > >> yesterday, (though based on a much smaller sat of data I > >> guess;-) my data shows 10.6% use of TLSv1.0 when talking > >> SMTP/IMAP/POP (or HTTP) over TLS to a population of ~200K > >> IP addresses that listen on port 25 (mail servers). > >> > >> What I don't currently have is a rate of change for that > >> figure. I think that rate of change is the important number > >> for figuring out what to do in the next while. E.g. The > >> WG might conclude that if the percentage of TLSv1.0 is > >> moving down nicely, we should be a bit patient. If it's > >> not moving at all, we can probably move now or in 5 years > >> without that being different. If we're not sure, then get > >> more data... > >> > >> Cheers, > >> S. > >> > >> [1] > >> https://github.com/sftcd/tls-oldversions-diediedie/blob/mast > >> er/draft-moriarty-tls-oldversions-diediedie.txt > >> > > > > > > > -- Thanks, Nalini Elkins President Enterprise Data Center Operators www.e-dco.com
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
