Re: [TLS] Fwd: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt

[Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>]

Hi Nalini,

I think it would be more useful to collect show stopper information.  Do they have systems or applications that cannot be upgraded as there is no upgrade path?  Do these systems or applications matter in terms of deprecation?  It may not matter if they are isolated or there is no external requirement around encryption.

I did hear from someone off-list that I think will submit a PR on the systems he can’t upgrade, but he also said they don’t matter and are not a show stopper.

Thank you,
Kathleen 

Sent from my mobile device

> On Jul 11, 2018, at 5:50 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> 
> Hiya,
> 
>> On 11/07/18 06:45, nalini elkins wrote:
>> Stephen,
>> 
>>> I'd love to add more detail like that and/or more sections for other
>> protocols if folks have data to offer with references.
>> 
>> I believe that I can reach out to various people I know.   Please comment
>> if my methodology is acceptable and if you think this will be helpful.
> 
> It's not whether the methodology is acceptable to me or not
> but whether or not the references to the numbers are credible
> for readers:-)
> 
> A few comment below,
> 
>> 
>> I am thinking the following:
>> 
>> Location: U.S. / Canada (possibly U.K.)
>> 
>> -  3 banks (hopefully from the top 5)
>> -  3 large insurance companies  (includes back end processing)
>> -  3 U.S. federal government agencies
>> -  3 companies in the Wall Street / Stock brokerage sector (includes back
>> end processing)
>> -  3 large credit card / processors (ex. Visa, Discover, MasterCard, etc.)
>> -  3 in the retail sector (Home Depot, Target, Lowes, et al)
> 
> Those are pretty small numbers unless they're interacting with
> a lot of TLS services. It'd be hard to know if they'd be
> representative of something or not if they're anonymised in the
> results. I'd encourage you to try get people to be open about
> things here - there's no particular shame in having 10% TLSv1.0
> sessions after all:-)
> 
>> 
>> Note: I put in "back end processing" because these are the folks that most
>> often have many connections to other business partners and so in some ways
>> have the most complex systems to deal with.
>> 
>> Note #2:  This is aspirational!  I hope I can get all these people to
>> cooperate.  I will try at least to get some in each category.
>> 
>> 
>> I will ask them the following questions:
>> 
>> 1.  How many applications do you have?  (This may end up being only the
>> mission critical ones as otherwise it may be too hard to obtain.)
> 
> I'm not sure that's so interesting for this question. And I'm not
> sure that different people would count things as applications in
> the same way.
> 
>> 2.   How many are using TLS and how many are still plain text?  (We will
>> disregard SSH and other such variants.)
> 
> Again, that's not so interesting here.
> 
>> 3.   What percent of clients are using a pre-TLS1.2 version?  (This will be
>> an estimation.
> I don't see why this needs to be estimated, this is kinda the key
> measurement needed and easy to measure. There should be no need for
> anyone to stick their thumb in the air for this:-)
> 
> It'd be good to distinguish TLSv1.0 from TLSv1.1 (and SSLv3 and
> TLSv1.3) and to say for how many TLS sessions or hosts/IPs the
> figures apply.
> 
> And of course providing as much context as possible so that it's
> possible to understand the numbers and whether or not the numbers
> from different sources are based on the same or different kinds of
> measurement.
> 
>> 
>> 4.   Do you have an active project to migrate off of older versions of TLS?
> 
> Sure.
> 
>> 
>> 5.   What do you estimate your percent of clients using pre-TLS1.2 versions
>> to be next year?
> 
> I don't see how this'd be so useful. Aaking about the historic and
> current rates of change of use of the various protocol versions would
> be good though if people have that, but they may not.
> 
> S.
> 
>> 
>> 
>> Please let me know if this will be of use & if you have suggestions for
>> improvement.
>> 
>> Thanks,
>> Nalini
>> 
>> 
>> 
>> 
>> On Tue, Jul 10, 2018 at 1:51 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
>> wrote:
>> 
>>> 
>>> Hi Nalini,
>>> 
>>>> On 10/07/18 04:50, nalini elkins wrote:
>>>> It would be nice to see some of this reflected in the draft rather than
>>>> only statistics on browsers.   The real usage of these protocols is far
>>>> more complex.
>>> 
>>> I didn't have time before the I-D cutoff but have since
>>> added a section on mail to the repo pre-01 version. (See
>>> [1] section 3.2.) I'd love to add more detail like that
>>> and/or more sections for other protocols if folks have
>>> data to offer with references.
>>> 
>>> Consistent with other folks' numbers sent to the list
>>> yesterday, (though based on a much smaller sat of data I
>>> guess;-) my data shows 10.6% use of TLSv1.0 when talking
>>> SMTP/IMAP/POP (or HTTP) over TLS to a population of ~200K
>>> IP addresses that listen on port 25 (mail servers).
>>> 
>>> What I don't currently have is a rate of change for that
>>> figure. I think that rate of change is the important number
>>> for figuring out what to do in the next while. E.g. The
>>> WG might conclude that if the percentage of TLSv1.0 is
>>> moving down nicely, we should be a bit patient. If it's
>>> not moving at all, we can probably move now or in 5 years
>>> without that being different. If we're not sure, then get
>>> more data...
>>> 
>>> Cheers,
>>> S.
>>> 
>>> [1]
>>> https://github.com/sftcd/tls-oldversions-diediedie/blob/mast
>>> er/draft-moriarty-tls-oldversions-diediedie.txt
>>> 
>> 
>> 
>> 
> <0x5AB2FAF17B172BEA.asc>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls