back to article IETF updates TLS/SSL best practice guidance

Do: start rolling TLS 1.3, support TLS 1.2, and DTLS 1.2. Don't: negotiate sessions using TLS 1, TLS 1.1, SSL 2 or SSL 3. Those are the Internet Engineering Task Force's latest recommendations, set out in RFC 7525, Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). …

  1. Anonymous Coward
    Anonymous Coward

    And for the clients that refuse to talk TLS 1.2? There are a few of these and not just ancient crap but also relatively modern stuff that fails to communicate when TLS 1.0/1.1 is disabled.

    I did try disabling all but TLS 1.2 on my server, but the carnage that caused was too much trouble.

    1. Jamie Jones Silver badge

      The RFC actually says:

      No SSLv2

      No SSLv3

      No TLSv1.0 (Except when nothing higher is available)

      No TLSv1.1 (Except when nothing higher is available)

      Yes TLSv1.2

      To my puny brain, those caveats basically say that TLSv1.0 and TLSv1.1 are still to be available (as an attacker wanting to use them would surely simply not announce support for higher...)

      1. Anonymous Coward
        Anonymous Coward

        Indeed, permitted but not recommended, I guess I should have looked at the RFC itself. The fact remains that a lot of devices that ought to support TLS 1.2, break when TLS 1.0 is disabled.

        As an example, see this test result for my own blog. Amongst the carnage is Android <4.4.2 (my phone is 4.1, have talked to ZTE about this), IE 8-10 on Windows 7 (doesn't affect me so much, but big corporates, this is a big problem) and Safari on MacOS X <10.8.

        Now if it were a site for my own purposes, sure, I'll crank the security settings sky high and to hell with browser compatibility. TLS 1.2 is no problem. However, I can't control what the general public uses, and this is the sort of trade-off that a commercial business trading on the Internet has to make.

        1. Jamie Jones Silver badge
          Thumb Up

          [ Nice link, cheers! ]

          Don't get me wrong, I agree with you entirely. There is a bit of an 'ivory tower' vibe about this RFC, whilst back in the real world, we have to deal with all the shit that is currently out there!

  2. Anonymous Coward
    Anonymous Coward

    DTLS?

    Hell no.

  3. Crazy Operations Guy Silver badge

    The biggest issue with best practice guides

    Is that the people that really need to read them are too lazy to do so, or feel "My system isn't important enough to need that". That and the world is flooded with old and/or broken stuff that requires lower levels of security.

    Case in point, the other week I bought a WiFi enabled web camera to watch my backyard, but it only supported WEP (And this was in 2014 for fuck's sake...). I imagine that a lot of these new Internet-of-Things devices are in the same boat...

    1. Anonymous Coward
      Anonymous Coward

      Re: The biggest issue with best practice guides

      Someone should tell the manufacturer: WEP == Blatant false advertising.

      1. Anonymous Coward
        Anonymous Coward

        Re: The biggest issue with best practice guides

        Probably "Made in China," so any claims of false advertising would likely be met with something like "去你妈的" (HINT: figurative translation is NSFW).

        1. Anonymous Coward
          Anonymous Coward

          Re: The biggest issue with best practice guides

          Google translate knows the NSFW idiom. Is it phonetic or an imported Anglo-Saxon term that has become established in Chinese too?

          1. Anonymous Coward
            Anonymous Coward

            Re: The biggest issue with best practice guides

            As I understand it it's traditional. Chinese insults tend to focus on the family and especially the mother (meaning "your mum" types of insults hit harder there) due to the long-standing emphasis on family values and respecting one's elders and ancestors.

            1. Anonymous Coward
              Anonymous Coward

              Re: The biggest issue with best practice guides

              The Google translation had no direct reference to family or mothers. So - have Google substituted a more commonplace Anglo-Saxon sexual insult?

              In the days of Mao the apparently literal translations of their political insults like "imperialist running dogs" sounded rather strange to Western ears.

              1. Anonymous Coward
                Anonymous Coward

                Re: The biggest issue with best practice guides

                That's probably what's happening. That's why I said the translation is figurative. Taken more directly, I believe the insult makes an unsavory solicitation to one's mother (which like I said is considered a pretty foul epithet to the Chinese).

                As for the political insults, I think it's less the "dog" part that was confusing as the "imperialist" and "running" parts. Dog's a generally insulting term when applied to a human, especially when used in terms of a mother dog.

      2. Jamie Jones Silver badge
        Coat

        Re: The biggest issue with best practice guides

        "Someone should tell the manufacturer: WEP == Blatant false advertising."

        No, that would be BFA...

  4. Anonymous Coward
    Anonymous Coward

    Banks are worst

    U.K. banks seem to be some of the worst culprits lagging behind the times. Most are TLS 1. One I use will only connect with RC4_128_SHA which the browser regards as unsecured.

    I suppose this is because they have to support customers using very old browsers.

  5. Anonymous Coward
    Anonymous Coward

    Right. Well get right on that,

    Just as soon as the 4 critical web apps our clients use upgrade so we can do it. For the record Two of them are accounting apps, one of them is the employee electronic timesheet system, and the fourth is the employee electronic training system (which includes certs you need to complete to maintain your network account). I'm not sure, but the travel authorization system might also not yet supports something other than the verboten services. Yes, we are a US government agency at least 20,000 people in my branch, and I think all four of those programs are mandated at the Dept of ______ level. Yeah, if I said exactly where I work, you'd all recognize it, but I'm not authorized to speak for our agency so I have to keep it vague.

    1. Anonymous Coward
      Anonymous Coward

      Re: Right. Well get right on that,

      Haven't you tried to make a case with the Secretary of your Department, on the grounds of national security?

  6. Mike 16 Silver badge

    So then, the point

    is to make sure no computer from before the push to "backdoor everywhere" will be allowed to use the Internet at all. All our cat pix are now safe from Luddites who won't "upgrade" every four years.

    Understood

  7. Anonymous Coward
    Anonymous Coward

    Maybe someone should cc this to DSG, they're still running SSL3 and TLS1.0 on some of their primary websites.

    https://www.ssllabs.com/ssltest/analyze.html?d=secure.pcworld.co.uk

    https://www.ssllabs.com/ssltest/analyze.html?d=knowhow.com&latest

  8. Mark Dowling

    Maybe the IETF should visit Redmond

    And tell MS to retrofit TLS > 1.0 onto Windows 2008. That would help.

    1. Tomato42 Silver badge
      FAIL

      Re: Maybe the IETF should visit Redmond

      you mean, like here: https://support.microsoft.com/en-us/kb/245030 ?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019