[SSL Observatory] TLS 1.1/1.2 support

[Larry Seltzer]

The absence of TLS 1.1 and 1.2 on the Internet is suddenly in the news.

This Friday in Buenos Aires: http://ekoparty.org/2011/juliano-rizzo.php

"We present a new fast block-wise chosen-plaintext attack against SSL/TLS.
We also describe one application of the attack that allows an adversary to
efficiently decrypt and obtain authentication tokens and cookies from HTTPS
requests. Our exploit abuses a vulnerability present in the SSL/TLS
implementation of major Web browsers at the time of writing."

I'm not sure why, but other reports on this state that the problem is not
present in TLS 1.1 or 1.2.

LJS

On Mon, Aug 22, 2011 at 12:58 PM, Ivan Ristic <ivan.ristic at gmail.com> wrote:

> The most recent results are from April 2011:
>
>
> http://blog.ivanristic.com/2011/04/fresh-internet-ssl-survey-results-april-2011-available.html
>
> Protocol analysis is on slide 30. Of course, little changed from 2010,
> the support for TLS 1.1 and TLS 1.2 is virtually non-existent.
>
>
> On Mon, Aug 22, 2011 at 9:47 AM, Peter Gutmann
> <pgut001 at cs.auckland.ac.nz> wrote:
> > Erwann ABALEA <erwann at abalea.com> writes:
> >
> >>SSLLabs from Qualys gives a rating of your website SSL configuration,
> after
> >>some tests. It can also detect TLS1.1/1.2, and detect a bogus answer to a
> >>nonexistent TLS version (3.99).
> >
> > Ahh, good point.  The last figures they published were for Black Hat
> 2010, for
> > which there were a few hundred TLS 1.1 servers and effectively zero TLS
> 1.2
> > servers (less than a dozen, probably most or even all test servers run by
> > various vendors).  OTOH since both TLS 1.1 and 1.2 have been around for
> years
> > the BH'10 figures are probably still pretty representative.
> >
> > Peter.
> >
>
>
>
> --
> Ivan Ristić
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20110920/db842cc4/attachment.html>