[SSL Observatory] TLS 1.1/1.2 support
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Mon Aug 22 22:58:21 PDT 2011
Erwann ABALEA <erwann at abalea.com> writes:
>2011/8/22 Larry Seltzer <larry at larryseltzer.com>:
>> From the presentation: "Lack of support for TLS v1.1 and v1.2 is a
>> cause for concern"
>>
>> Why? It looks like very few people care.
>
>Very few, but on what surface?
I'm actually somewhat reassured by the fact that no-one cares much about TLS
1.1 and 1.2, 1.1 solves a very academic, but at least non-zero, problem in a
fully backwards-compatible manner, while 1.2 solves no identifiable problem
(unless you count "HMAC-SHA1 is sooooo unfashionable, it's just not what
they're wearing this year dahling" as an issue) while totally breaking
compatibility with all existing deployed systems.
>As PKI operator employee, when we want to deploy our solutions, the customer
>often asks about TLS1.1 and 1.2 support, or EDH group larger or equal to 2048
>bits, or some enforcement that a 3DES key won't be used to encrypt more that
>1GB of data.
Applied Cryptography has a lot to answer for (sigh). I've had both that and
the more common must-have-the-latest-toy questions, "We must have TLS 1.2" ->
"You realise that you're going to have major problems interoperating with
anything using that because the entire industry is pretty much ignoring it" ->
"Shiny, flashy, bling, want, want!". Bigger sigh.
Peter.
More information about the Observatory
mailing list