Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday June 20 2018, @03:32AM   Printer-friendly
from the die-die-die dept.

As TLS 1.3 inches towards publication into the Internet Engineering Task Force's RFC series, it's a surprise to realise that there are still lingering instances of TLS 1.0 and TLS 1.1.

The now-ancient versions of Transport Layer Security (dating from 1999 and 2006 respectively) are nearly gone, but stubborn enough that Dell EMC's Kathleen Moriarty and Trinity College Dublin's Stephen Farrell want it formally deprecated.

This Internet-Draft (complete with “die die die” in the URL) argues that deprecation time isn't in the future, it's now, partly because developers in recalcitrant organisations or lagging projects probably need something to convince The Boss™ it's time to move.

The last nail in the coffin would be, formally and finally, to ban application fallback to the hopelessly insecure TLS 1.0 and 1.1 standards.

Deprecation also removes any excuse for a project to demand support for all four TLS variants (up to TLS 1.3), simplifying developers' lives and reducing the risk of implementation errors.

[...] The publication of TLS 1.3 into the RFC stream is imminent – it's reached the last stage of the pre-publication process, author's final review. When it's published, it will carry the designation RFC 8446.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Thursday June 21 2018, @06:55AM (1 child)

    by Anonymous Coward on Thursday June 21 2018, @06:55AM (#696070)

    That's why things like HPKP certificate pinning exist - to try to combine the two

    No. Things like certificate pinning exist to serve the corporations more than the users.

    Browsers can warn users of unusual/unexpected changes without requiring stuff like certificate pinning. This would help the user in so many more attack scenarios. e.g. in cases where certificate pinning is not practical for certain sites, or for self-signed certificates.

    Certificate pinning adds complexity just to protect narrower more specific cases (only for organizations that pin their certificates).

    See also:

    Some browsers also support the Public-Key-Pins-Report-Only, which does only trigger this reporting while not showing an error to the user.

    So guess whose interests were the real priority for those creating the standard?

  • (Score: 2) by Pino P on Saturday June 23 2018, @03:41PM

    by Pino P (4721) on Saturday June 23 2018, @03:41PM (#697211) Journal

    I assume the -Report-Only mode of HPKP is like that of Content Security Policy (CSP): a transition mechanism to help sites that did not support the feature debug their preliminary support before committing to support.