Re: [TLS] Fwd: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt

Yaron Sheffer <> Sat, 14 July 2018 16:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3C9AB130E8F for <>; Sat, 14 Jul 2018 09:59:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7shKxGpjad_o for <>; Sat, 14 Jul 2018 09:59:05 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B1577128CF3 for <>; Sat, 14 Jul 2018 09:59:05 -0700 (PDT)
Received: by with SMTP id g6-v6so19000348wrp.0 for <>; Sat, 14 Jul 2018 09:59:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=ZvFAHCtBHECRFIwUr0hkxWN1hkl/MAVMRvIPWsbPRYs=; b=UapEbGKJBo8jUUDhQD86RxGXm7bxztPFVvm+lsno0Z/9ujdvJhKT9jvWBABDtN73jB SZUTzY9zvtFwIw1AxfXoppQ8pVP3kz32v5v9M5VyPNtWoT0aYmu5+thOPfQB9ZdUTA/y hQMipdQXDKjtpcTtdtqAed4pqVoac11eB036nLmVHxPyJ+x2lj/ed3YQjTeA24Mqgl6U rOcpBBjEuD1oFGPIViql+khIYkbeEVDBPoPqzlmSUhVEDF1AWv/wcDH7tUJLvtjPAMZL NNl3fjvf9xE/aohWKS+xVHy+peJSJteKYfISxwKYKHC453hKpwuLj2G/9x1fOS3bb7LK 1Z5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=ZvFAHCtBHECRFIwUr0hkxWN1hkl/MAVMRvIPWsbPRYs=; b=QJrvPQEOoMiAtlknQuX5MzCXWTWGINAjUf5em8OFzZy+lzWs0Bw3fgOUm4RpnLSSpU MfN0Giqq8f+kjA+6nskVAJ5FWukv7YqueU4fGojyoPhc34QjfIb6Kf+g68eDghKOAnZE uAs1VbhNXb8ZViCsY2XdV0YcuRTvm8inTYSv9ZT7SSW0UHk1R+qGbAvZPdPVie9jIGFQ lzXVXMcrHj+9kaykIKa4LnbQOSNvtAlzOFouuhveP7eEdbiUvvO3X5YxulqyElLkUgfN Umj+piLiX4ZIGm8V2A6XNcMM24BOS09YEL5QRwmEeVQap5VFM/GOhjz6tQMCoWzFxwbv xxWA==
X-Gm-Message-State: AOUpUlHtiyEsMEtTeCbWT/D2OwkYMQ5uQ8XqJQ1O1OWiIZ3bQW/BW2oV Hz8MV9W7O8F1BGRpq7WPYNeY09yF
X-Google-Smtp-Source: AAOMgpfoU/KrZaSEsnRRVLEzWGlZuFS6qLVPCuruC7zva5xl/FsnamX0PUQ2iCpu83a/dWFHFUUUIQ==
X-Received: by 2002:a5d:438d:: with SMTP id i13-v6mr8355177wrq.156.1531587543870; Sat, 14 Jul 2018 09:59:03 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id r68-v6sm3484499wmr.2.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 14 Jul 2018 09:59:03 -0700 (PDT)
To: Stephen Farrell <>, nalini elkins <>
Cc: "<>" <>
References: <> <> <> <> <> <> <> <> <> <> <>
From: Yaron Sheffer <>
Message-ID: <>
Date: Sat, 14 Jul 2018 19:59:01 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [TLS] Fwd: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 14 Jul 2018 16:59:08 -0000

>>> I'd encourage you to try get people to be open about
>>> things here - there's no particular shame in having 10% TLSv1.0
>>> sessions after all:-)
>> It isn't a question of shame but it is just a bit too much information
>> to provide a potential adversary.  That is, to say that Stock Exchange XYZ
>> has n% of TLS1.0 clients provides a potential attacker too much
>> information.
> Not sure I agree there tbh. If they're externally visible
> services, then it's public already. If they're not, and the
> attacker is inside the n/w, then the bad actor can find it
> out then. But I do understand organisations being shy about
> such things.

Having gone through this exercise recently, I agree with Nalini on why 
people would not want to report openly.

For a typical enterprise, 10% TLS 1.0 in the internal network could well 
mean that 10% of your servers are Java boxes that have not been updated 
in the last two years (and so are riddled with vulnerabilities that are 
much more severe than the old TLS version). Absolutely a good reason to 
be ashamed :-) and certainly not information that you'd want to share