On Thu, Apr 30, 2020 at 7:59 PM Keith Moore <mo...@network-heretics.com> wrote:
> People do not always have the luxury of upgrading their clients and > servers to versions that support the recent TLS. Some legacy hardware > has firmware that cannot be upgraded because no upgrades are > available. Service providers do not always have the leverage to insist > that their customers upgrade, or the luxury of abandoning customers. etc. > Somewhat tangentially from the topic at hand: if you are running a piece of hardware that cannot upgrade its TLS stack at all, you quite likely have a number of serious unpatched vulnerabilities, and should reconsider whether it is safe to have that hardware attached to the Internet. Of course, you might be running some ESR software where you can only take security releases, in which case this does not apply. > I also think it's odd that there are recommendations like this that say > "don't support TLS x.y" but say nothing about not supporting cleartext > for protocols that still have a cleartext mode. Even SSL 1.0 is > probably better than cleartext (at least from a security perspective, if > not from a support burden perspective) as long as it's not trusted to be > secure. > While perhaps technically true, for the reasons above I believe this to be irrelevant: TLS 1.2 is nearly 12 years old. At this point, any implementation which does not support it should be presumed to be insecure regardless of our opinion on the specific protocols it supports. -Ekr
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
