Reply to post: TLS compatibilities

Does UK high street banks' crappy crypto actually matter?

Gary Gapinski

TLS compatibilities

SSL Labs has a nice comparison of user agent (TLS client) capabilities at https://www.ssllabs.com/ssltest/clients.html.

Note that all recently revised user agents can handle TLS 1.2 (obviating the need for older TLS protocols when observation of a web site's clientele demonstrates the UAs are indeed all compatible).

If one looks at individual UAs in that same comparison, it shows that recent ones can negotiate the stronger (i.e., AEAD+EDH) cipher suites. Those which cannot are likely quite old and equally likely lack the ability to negotiate TLS 1.2, and can be accommodated (if actually present in the clientele) by a configuration that offers the older, weaker, TLS protocols and cipher suites. The newer UAs will negotiate the stronger combinations.¹

As for HSTS, its use should be promoted, as it forces the web site operator to ensure that information is always delivered over TLS, and modern browser support is broad (https://caniuse.com/#search=hsts).

¹ See, e.g., https://www.ssllabs.com/ssltest/viewClient.html?name=Apple%20ATS&version=9&platform=iOS%209&key=112 for a particularly aggressive stance.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019