Stories
Slash Boxes
Comments

SoylentNews is people

It's Time for TLS 1.0 and 1.1 to Die

posted by Fnord666 on Wednesday June 20 2018, @03:32AM   Printer-friendly
from the die-die-die dept.

Arthur T Knackerbracket has found the following story:

As TLS 1.3 inches towards publication into the Internet Engineering Task Force's RFC series, it's a surprise to realise that there are still lingering instances of TLS 1.0 and TLS 1.1.

The now-ancient versions of Transport Layer Security (dating from 1999 and 2006 respectively) are nearly gone, but stubborn enough that Dell EMC's Kathleen Moriarty and Trinity College Dublin's Stephen Farrell want it formally deprecated.

This Internet-Draft (complete with “die die die” in the URL) argues that deprecation time isn't in the future, it's now, partly because developers in recalcitrant organisations or lagging projects probably need something to convince The Boss™ it's time to move.

The last nail in the coffin would be, formally and finally, to ban application fallback to the hopelessly insecure TLS 1.0 and 1.1 standards.

Deprecation also removes any excuse for a project to demand support for all four TLS variants (up to TLS 1.3), simplifying developers' lives and reducing the risk of implementation errors.

[...] The publication of TLS 1.3 into the RFC stream is imminent – it's reached the last stage of the pre-publication process, author's final review. When it's published, it will carry the designation RFC 8446.

Original Submission

 
This discussion has been archived. No new comments can be posted.
It's Time for TLS 1.0 and 1.1 to Die | Log In/Create an Account | Top | 26 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Touché) by ledow on Wednesday June 20 2018, @01:29PM (2 children)

    by ledow (5567) on Wednesday June 20 2018, @01:29PM (#695571) Homepage

    username.dyndns.org

    Or any of a dozen supported rivals, many of them free.

    Next question?

    Starting Score:    1  point
    Moderation   +1  
       Touché=1, Total=1
    Extra 'Touché' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 2) by Pino P on Saturday June 23 2018, @05:44PM

    by Pino P (4721) on Saturday June 23 2018, @05:44PM (#697263) Journal

    If a dynamic DNS provider's domain isn't on the Public Suffix List [publicsuffix.org], then the first 20 users who request a certificate under that domain get a certificate, and the rest for the week get an error message that the request exceeds the rate limit of Let's Encrypt [letsencrypt.org].

    Only the provider can request that a domain be added to the PSL, not its users. This means a provider can hold its users hostage by requesting that only "premium" domains be added to the PSL, especially if the provider also resells some commercial TLS CA's DV certificates. And last I checked, there was a months-log backlog in processing requests by providers to be added to the PSL.

  • (Score: 3, Informative) by Pino P on Saturday June 23 2018, @05:47PM

    by Pino P (4721) on Saturday June 23 2018, @05:47PM (#697267) Journal

    username.dyndns.org

    That went away years ago. When I type dyndns.org into my browser, I get redirected to dyn.com whose pricing page [dyn.com] doesn't show a free option. Wikipedia confirms [wikipedia.org]: "In April 2014, Dyn announced the discontinuation of its free hostname services effective May 7."