On Saturday, 14 July 2018 18:59:01 CEST Yaron Sheffer wrote: > >>> I'd encourage you to try get people to be open about > >>> things here - there's no particular shame in having 10% TLSv1.0 > >>> sessions after all:-) > >> > >> It isn't a question of shame but it is just a bit too much information > >> to provide a potential adversary. That is, to say that Stock Exchange > >> XYZ > >> has n% of TLS1.0 clients provides a potential attacker too much > >> information. > > > > Not sure I agree there tbh. If they're externally visible > > services, then it's public already. If they're not, and the > > attacker is inside the n/w, then the bad actor can find it > > out then. But I do understand organisations being shy about > > such things. > > Having gone through this exercise recently, I agree with Nalini on why > people would not want to report openly. > > For a typical enterprise, 10% TLS 1.0 in the internal network could well > mean that 10% of your servers are Java boxes that have not been updated > in the last two years (and so are riddled with vulnerabilities that are > much more severe than the old TLS version). Absolutely a good reason to > be ashamed :-) and certainly not information that you'd want to share > openly.
or fully updated and supported RHEL-5 servers... that data point alone is far too little to say if the use of TLS 1.0 is shameful or not -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
