In light of recent developments on SSL issues such as BEAST and POODLE, I decide

Question

In light of recent developments on SSL issues such as BEAST and POODLE, I decided to configure my browser to only allow TLS1.1 and higher. The trouble is, that I am finding a lot of websites which do not work correctly (some websites serve all JS and CSS resources as HTTPS always) or at all. A bit of digging usually reveals that there is no cipher overlap, or no protocol overlap. In a lot of cases, I found websites are only accepting maximum protocol version of TLS1.0.

My question is, is there some good reason from a security perspective to allow only TLS 1.0, or is it simply pure "laziness", and there is no good reason not to allow TLS1.1 and TLS1.2 in addition to TLS1.0?

Explanation / Answer

No, there is absolutely no security related reason to continue to support TLS 1.0, but there are several other business concerns which can twist the arm of a system engineer into allowing it. For larger sites, they may be trying not to leave people with older browsers out in the cold. For some situations, the person publishing the website needs to assume you are using I.E 6 with no updates.

It sounds ridiculous, and it is, but it's a fact of life.

That said, if the server doesn't support anything above TLS 1.0, that's a problem no matter how you slice it. You should e-mail them about it. Or, if it's not fixed, stop using the site.

Sometimes it only takes one angry e-mail to set things right.

Edit: I shall emphasize that supporting a legacy operating system or software stack is no excuse for exposing your users to encryption with major known faults.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.