IETF Logo Mail Archive

Re: [TLS] Fwd: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt

nalini elkins <nalini.elkins@e-dco.com> Fri, 13 July 2018 12:24 UTC

Return-Path: <nalini.elkins@e-dco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 648A3130DDA for <tls@ietfa.amsl.com>; Fri, 13 Jul 2018 05:24:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=e-dco-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7oqNTvZuJyeL for <tls@ietfa.amsl.com>; Fri, 13 Jul 2018 05:24:51 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7835130E6B for <tls@ietf.org>; Fri, 13 Jul 2018 05:24:50 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id 1-v6so24356878ljv.9 for <tls@ietf.org>; Fri, 13 Jul 2018 05:24:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=e-dco-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=OF3IQsTwzXCFAI1PWKBn6tdJh4g003mgldkgVI1Zg48=; b=xAI+p8K6WksnXTuQyq5GfFEATJ6bYPqQZZCSQN3Zbpn8mbVBaBN12RYmwgBUCjX0kI 5481mVmaynXEhV3DgmHZkNiVsFYzXVCSv2jjNnzKCYUL+cslTxAq3rRvgAdvtmIOWpJm fG9lTz5Ur54zuN+l04/gAu2G1Fs4nD9l37exeQD6TzdGqr/M8fulvAnQ0RYFqvYVFvJ0 mE6Eo/u8bD3Nuxhcee+nhF9fxfxm9i9qFonqvsVo4XDR8CSvokQTEko9QbUQX7stBa+3 bugQBc5Lr0yAVQif/LPe8dCRNnCSGWC0H0G43WHJ4J7KxVKOvljYGkw48Eh9qm6ImeR1 hK/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=OF3IQsTwzXCFAI1PWKBn6tdJh4g003mgldkgVI1Zg48=; b=bSdrrNfpjF3j3InorNlIc/lBO/bGZP21MhO9fa5hsP9cOddh2ZQmOyRMzUsS6Mth+/ RXq8EJCDs4YdWLU0+WK6sLMDYZUJeJ9jc0ox9KlbqRampog08gaarZAIUwGZbbe5jvir bT/ib7g8nLABoEYS8HQR3M0C1SmbHELOsJM/wHtDzQpwTj3K0+/8dMWPhyB84izqUjhm p8VPxMJxTykwFOHDjyqPzRSLMDxSUlOoY9ICdsAoz9o9CiYOQ2t1xFeJsNdMNIL0vS85 AN6tjBVUyzgJw32Mm51xOuoeSlGPDC3P45inO6M+riougMk+X/YwdPme0IAxZFZun0FQ 0Y9A==
X-Gm-Message-State: AOUpUlGZhrIdG29gsIaMxAke+Ye8O9hnlwoIzZSed5sL8PTj347whFMS YSuBYxGaCgtqfpGLr6zcaxNcwDq4bPZ1zbUq5ZqLNZx4
X-Google-Smtp-Source: AAOMgpcEjxc71TQOznTOZSmOA4EP/ySltLJa0b9C6Hv0E4K54bCNtXrVkHcfjc990Jvy0Rd582E6RLyCdkUCAebekrc=
X-Received: by 2002:a2e:4951:: with SMTP id b17-v6mr3085210ljd.67.1531484688789; Fri, 13 Jul 2018 05:24:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab3:f8d:0:0:0:0:0 with HTTP; Fri, 13 Jul 2018 05:24:48 -0700 (PDT)
In-Reply-To: <e669c670-fa21-4df2-4098-4e0eb218f4b5@cs.tcd.ie>
References: <152934875755.3094.4484881874912460528.idtracker@ietfa.amsl.com> <CAHbuEH5J-F2cKag02Vx416jsy1N6XZOju28H99WAt71Pc5optg@mail.gmail.com> <CABcZeBN4RPt_=zu-PTPeaYbQ4KxC8DAf=a7359pZDjYavpxecw@mail.gmail.com> <CABcZeBMzweULuOfxe_Dp7n6M7Lt77_1Qq92=KzfmuBeShUSCDQ@mail.gmail.com> <CY4PR21MB0774BE80A4424D41D0C8C4138C440@CY4PR21MB0774.namprd21.prod.outlook.com> <CAPsNn2U-WqPM-Tqun4NQkhy+ctpkdjkXj_dFurChKDB3f=WqRA@mail.gmail.com> <2ad88b61-aa3c-88d4-dfef-bcd78eeeeeca@cs.tcd.ie> <CAPsNn2UyQMEnS7y-Vgpt7j7c_z38OyhPgguvD7m54yVT013u6g@mail.gmail.com> <e669c670-fa21-4df2-4098-4e0eb218f4b5@cs.tcd.ie>
From: nalini elkins <nalini.elkins@e-dco.com>
Date: Fri, 13 Jul 2018 08:24:48 -0400
Message-ID: <CAPsNn2VoZqfEyviHr8wivHv2iACsySb--E1ogzxJ9v7FGTdM7Q@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000daca810570e09051"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/f1NRWjLsMvV6Ug3sovcjbll92aA>
Subject: Re: [TLS] Fwd: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2018 12:24:54 -0000

Stephen,

Sorry for the late reply.   I was travelling to Montreal from India and
was jet lagged.

>
>> I am thinking the following:
>>
>> Location: U.S. / Canada (possibly U.K.)
>>
>> -  3 banks (hopefully from the top 5)
>> -  3 large insurance companies  (includes back end processing)
>> -  3 U.S. federal government agencies
>> -  3 companies in the Wall Street / Stock brokerage sector (includes back
>> end processing)
>> -  3 large credit card / processors (ex. Visa, Discover, MasterCard,
etc.)
>> -  3 in the retail sector (Home Depot, Target, Lowes, et al)

>Those are pretty small numbers unless they're interacting with
>a lot of TLS services. It'd be hard to know if they'd be
>representative of something or not if they're anonymised in the
>results.

I would expect that these people would have quite a few applications
using TLS.   Telnet, FTP, MQSeries, SMTP, and many written by the
organization itself.

What numbers do you feel WOULD be representative?

> I'd encourage you to try get people to be open about
> things here - there's no particular shame in having 10% TLSv1.0
> sessions after all:-)

It isn't a question of shame but it is just a bit too much information
to provide a potential adversary.  That is, to say that Stock Exchange XYZ
has n% of TLS1.0 clients provides a potential attacker too much
information.   As I say, most organizations that I know are trying very hard
to migrate from older versions.  It is not as simple as it might seem.

If the organizations need to be identified by name, then I think this will
be a show stopper for any kind of data that I might be able to provide.
Having said that, I completely understand (and share) your distrust of
anonymous data.   I am at a loss as to how to proceed.

I am open to any constructive suggestions.

Thanks,
Nalini


On Wed, Jul 11, 2018 at 5:50 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
> Hiya,
>
> On 11/07/18 06:45, nalini elkins wrote:
> >  Stephen,
> >
> >> I'd love to add more detail like that and/or more sections for other
> > protocols if folks have data to offer with references.
> >
> > I believe that I can reach out to various people I know.   Please comment
> > if my methodology is acceptable and if you think this will be helpful.
>
> It's not whether the methodology is acceptable to me or not
> but whether or not the references to the numbers are credible
> for readers:-)
>
> A few comment below,
>
> >
> > I am thinking the following:
> >
> > Location: U.S. / Canada (possibly U.K.)
> >
> > -  3 banks (hopefully from the top 5)
> > -  3 large insurance companies  (includes back end processing)
> > -  3 U.S. federal government agencies
> > -  3 companies in the Wall Street / Stock brokerage sector (includes back
> > end processing)
> > -  3 large credit card / processors (ex. Visa, Discover, MasterCard,
> etc.)
> > -  3 in the retail sector (Home Depot, Target, Lowes, et al)
>
> Those are pretty small numbers unless they're interacting with
> a lot of TLS services. It'd be hard to know if they'd be
> representative of something or not if they're anonymised in the
> results. I'd encourage you to try get people to be open about
> things here - there's no particular shame in having 10% TLSv1.0
> sessions after all:-)
>
> >
> > Note: I put in "back end processing" because these are the folks that
> most
> > often have many connections to other business partners and so in some
> ways
> > have the most complex systems to deal with.
> >
> > Note #2:  This is aspirational!  I hope I can get all these people to
> > cooperate.  I will try at least to get some in each category.
> >
> >
> > I will ask them the following questions:
> >
> > 1.  How many applications do you have?  (This may end up being only the
> > mission critical ones as otherwise it may be too hard to obtain.)
>
> I'm not sure that's so interesting for this question. And I'm not
> sure that different people would count things as applications in
> the same way.
>
> > 2.   How many are using TLS and how many are still plain text?  (We will
> > disregard SSH and other such variants.)
>
> Again, that's not so interesting here.
>
> > 3.   What percent of clients are using a pre-TLS1.2 version?  (This will
> be
> > an estimation.
> I don't see why this needs to be estimated, this is kinda the key
> measurement needed and easy to measure. There should be no need for
> anyone to stick their thumb in the air for this:-)
>
> It'd be good to distinguish TLSv1.0 from TLSv1.1 (and SSLv3 and
> TLSv1.3) and to say for how many TLS sessions or hosts/IPs the
> figures apply.
>
> And of course providing as much context as possible so that it's
> possible to understand the numbers and whether or not the numbers
> from different sources are based on the same or different kinds of
> measurement.
>
> >
> > 4.   Do you have an active project to migrate off of older versions of
> TLS?
>
> Sure.
>
> >
> > 5.   What do you estimate your percent of clients using pre-TLS1.2
> versions
> > to be next year?
>
> I don't see how this'd be so useful. Aaking about the historic and
> current rates of change of use of the various protocol versions would
> be good though if people have that, but they may not.
>
> S.
>
> >
> >
> > Please let me know if this will be of use & if you have suggestions for
> > improvement.
> >
> > Thanks,
> > Nalini
> >
> >
> >
> >
> > On Tue, Jul 10, 2018 at 1:51 PM, Stephen Farrell <
> stephen.farrell@cs.tcd.ie>
> > wrote:
> >
> >>
> >> Hi Nalini,
> >>
> >> On 10/07/18 04:50, nalini elkins wrote:
> >>> It would be nice to see some of this reflected in the draft rather than
> >>> only statistics on browsers.   The real usage of these protocols is far
> >>> more complex.
> >>
> >> I didn't have time before the I-D cutoff but have since
> >> added a section on mail to the repo pre-01 version. (See
> >> [1] section 3.2.) I'd love to add more detail like that
> >> and/or more sections for other protocols if folks have
> >> data to offer with references.
> >>
> >> Consistent with other folks' numbers sent to the list
> >> yesterday, (though based on a much smaller sat of data I
> >> guess;-) my data shows 10.6% use of TLSv1.0 when talking
> >> SMTP/IMAP/POP (or HTTP) over TLS to a population of ~200K
> >> IP addresses that listen on port 25 (mail servers).
> >>
> >> What I don't currently have is a rate of change for that
> >> figure. I think that rate of change is the important number
> >> for figuring out what to do in the next while. E.g. The
> >> WG might conclude that if the percentage of TLSv1.0 is
> >> moving down nicely, we should be a bit patient. If it's
> >> not moving at all, we can probably move now or in 5 years
> >> without that being different. If we're not sure, then get
> >> more data...
> >>
> >> Cheers,
> >> S.
> >>
> >> [1]
> >> https://github.com/sftcd/tls-oldversions-diediedie/blob/mast
> >> er/draft-moriarty-tls-oldversions-diediedie.txt
> >>
> >
> >
> >
>



-- 
Thanks,
Nalini Elkins
President
Enterprise Data Center Operators
www.e-dco.com

v2.23.0 | Report a Bug | By Email