Re: [TLS] Fwd: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt
nalini elkins <nalini.elkins@e-dco.com> Fri, 13 July 2018 12:24 UTC
Return-Path: <nalini.elkins@e-dco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 648A3130DDA for <tls@ietfa.amsl.com>; Fri, 13 Jul 2018 05:24:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=e-dco-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7oqNTvZuJyeL for <tls@ietfa.amsl.com>; Fri, 13 Jul 2018 05:24:51 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7835130E6B for <tls@ietf.org>; Fri, 13 Jul 2018 05:24:50 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id 1-v6so24356878ljv.9 for <tls@ietf.org>; Fri, 13 Jul 2018 05:24:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=e-dco-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=OF3IQsTwzXCFAI1PWKBn6tdJh4g003mgldkgVI1Zg48=; b=xAI+p8K6WksnXTuQyq5GfFEATJ6bYPqQZZCSQN3Zbpn8mbVBaBN12RYmwgBUCjX0kI 5481mVmaynXEhV3DgmHZkNiVsFYzXVCSv2jjNnzKCYUL+cslTxAq3rRvgAdvtmIOWpJm fG9lTz5Ur54zuN+l04/gAu2G1Fs4nD9l37exeQD6TzdGqr/M8fulvAnQ0RYFqvYVFvJ0 mE6Eo/u8bD3Nuxhcee+nhF9fxfxm9i9qFonqvsVo4XDR8CSvokQTEko9QbUQX7stBa+3 bugQBc5Lr0yAVQif/LPe8dCRNnCSGWC0H0G43WHJ4J7KxVKOvljYGkw48Eh9qm6ImeR1 hK/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=OF3IQsTwzXCFAI1PWKBn6tdJh4g003mgldkgVI1Zg48=; b=bSdrrNfpjF3j3InorNlIc/lBO/bGZP21MhO9fa5hsP9cOddh2ZQmOyRMzUsS6Mth+/ RXq8EJCDs4YdWLU0+WK6sLMDYZUJeJ9jc0ox9KlbqRampog08gaarZAIUwGZbbe5jvir bT/ib7g8nLABoEYS8HQR3M0C1SmbHELOsJM/wHtDzQpwTj3K0+/8dMWPhyB84izqUjhm p8VPxMJxTykwFOHDjyqPzRSLMDxSUlOoY9ICdsAoz9o9CiYOQ2t1xFeJsNdMNIL0vS85 AN6tjBVUyzgJw32Mm51xOuoeSlGPDC3P45inO6M+riougMk+X/YwdPme0IAxZFZun0FQ 0Y9A==
X-Gm-Message-State: AOUpUlGZhrIdG29gsIaMxAke+Ye8O9hnlwoIzZSed5sL8PTj347whFMS YSuBYxGaCgtqfpGLr6zcaxNcwDq4bPZ1zbUq5ZqLNZx4
X-Google-Smtp-Source: AAOMgpcEjxc71TQOznTOZSmOA4EP/ySltLJa0b9C6Hv0E4K54bCNtXrVkHcfjc990Jvy0Rd582E6RLyCdkUCAebekrc=
X-Received: by 2002:a2e:4951:: with SMTP id b17-v6mr3085210ljd.67.1531484688789; Fri, 13 Jul 2018 05:24:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab3:f8d:0:0:0:0:0 with HTTP; Fri, 13 Jul 2018 05:24:48 -0700 (PDT)
In-Reply-To: <e669c670-fa21-4df2-4098-4e0eb218f4b5@cs.tcd.ie>
References: <152934875755.3094.4484881874912460528.idtracker@ietfa.amsl.com> <CAHbuEH5J-F2cKag02Vx416jsy1N6XZOju28H99WAt71Pc5optg@mail.gmail.com> <CABcZeBN4RPt_=zu-PTPeaYbQ4KxC8DAf=a7359pZDjYavpxecw@mail.gmail.com> <CABcZeBMzweULuOfxe_Dp7n6M7Lt77_1Qq92=KzfmuBeShUSCDQ@mail.gmail.com> <CY4PR21MB0774BE80A4424D41D0C8C4138C440@CY4PR21MB0774.namprd21.prod.outlook.com> <CAPsNn2U-WqPM-Tqun4NQkhy+ctpkdjkXj_dFurChKDB3f=WqRA@mail.gmail.com> <2ad88b61-aa3c-88d4-dfef-bcd78eeeeeca@cs.tcd.ie> <CAPsNn2UyQMEnS7y-Vgpt7j7c_z38OyhPgguvD7m54yVT013u6g@mail.gmail.com> <e669c670-fa21-4df2-4098-4e0eb218f4b5@cs.tcd.ie>
From: nalini elkins <nalini.elkins@e-dco.com>
Date: Fri, 13 Jul 2018 08:24:48 -0400
Message-ID: <CAPsNn2VoZqfEyviHr8wivHv2iACsySb--E1ogzxJ9v7FGTdM7Q@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000daca810570e09051"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/f1NRWjLsMvV6Ug3sovcjbll92aA>
Subject: Re: [TLS] Fwd: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2018 12:24:54 -0000
Stephen, Sorry for the late reply. I was travelling to Montreal from India and was jet lagged. > >> I am thinking the following: >> >> Location: U.S. / Canada (possibly U.K.) >> >> - 3 banks (hopefully from the top 5) >> - 3 large insurance companies (includes back end processing) >> - 3 U.S. federal government agencies >> - 3 companies in the Wall Street / Stock brokerage sector (includes back >> end processing) >> - 3 large credit card / processors (ex. Visa, Discover, MasterCard, etc.) >> - 3 in the retail sector (Home Depot, Target, Lowes, et al) >Those are pretty small numbers unless they're interacting with >a lot of TLS services. It'd be hard to know if they'd be >representative of something or not if they're anonymised in the >results. I would expect that these people would have quite a few applications using TLS. Telnet, FTP, MQSeries, SMTP, and many written by the organization itself. What numbers do you feel WOULD be representative? > I'd encourage you to try get people to be open about > things here - there's no particular shame in having 10% TLSv1.0 > sessions after all:-) It isn't a question of shame but it is just a bit too much information to provide a potential adversary. That is, to say that Stock Exchange XYZ has n% of TLS1.0 clients provides a potential attacker too much information. As I say, most organizations that I know are trying very hard to migrate from older versions. It is not as simple as it might seem. If the organizations need to be identified by name, then I think this will be a show stopper for any kind of data that I might be able to provide. Having said that, I completely understand (and share) your distrust of anonymous data. I am at a loss as to how to proceed. I am open to any constructive suggestions. Thanks, Nalini On Wed, Jul 11, 2018 at 5:50 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hiya, > > On 11/07/18 06:45, nalini elkins wrote: > > Stephen, > > > >> I'd love to add more detail like that and/or more sections for other > > protocols if folks have data to offer with references. > > > > I believe that I can reach out to various people I know. Please comment > > if my methodology is acceptable and if you think this will be helpful. > > It's not whether the methodology is acceptable to me or not > but whether or not the references to the numbers are credible > for readers:-) > > A few comment below, > > > > > I am thinking the following: > > > > Location: U.S. / Canada (possibly U.K.) > > > > - 3 banks (hopefully from the top 5) > > - 3 large insurance companies (includes back end processing) > > - 3 U.S. federal government agencies > > - 3 companies in the Wall Street / Stock brokerage sector (includes back > > end processing) > > - 3 large credit card / processors (ex. Visa, Discover, MasterCard, > etc.) > > - 3 in the retail sector (Home Depot, Target, Lowes, et al) > > Those are pretty small numbers unless they're interacting with > a lot of TLS services. It'd be hard to know if they'd be > representative of something or not if they're anonymised in the > results. I'd encourage you to try get people to be open about > things here - there's no particular shame in having 10% TLSv1.0 > sessions after all:-) > > > > > Note: I put in "back end processing" because these are the folks that > most > > often have many connections to other business partners and so in some > ways > > have the most complex systems to deal with. > > > > Note #2: This is aspirational! I hope I can get all these people to > > cooperate. I will try at least to get some in each category. > > > > > > I will ask them the following questions: > > > > 1. How many applications do you have? (This may end up being only the > > mission critical ones as otherwise it may be too hard to obtain.) > > I'm not sure that's so interesting for this question. And I'm not > sure that different people would count things as applications in > the same way. > > > 2. How many are using TLS and how many are still plain text? (We will > > disregard SSH and other such variants.) > > Again, that's not so interesting here. > > > 3. What percent of clients are using a pre-TLS1.2 version? (This will > be > > an estimation. > I don't see why this needs to be estimated, this is kinda the key > measurement needed and easy to measure. There should be no need for > anyone to stick their thumb in the air for this:-) > > It'd be good to distinguish TLSv1.0 from TLSv1.1 (and SSLv3 and > TLSv1.3) and to say for how many TLS sessions or hosts/IPs the > figures apply. > > And of course providing as much context as possible so that it's > possible to understand the numbers and whether or not the numbers > from different sources are based on the same or different kinds of > measurement. > > > > > 4. Do you have an active project to migrate off of older versions of > TLS? > > Sure. > > > > > 5. What do you estimate your percent of clients using pre-TLS1.2 > versions > > to be next year? > > I don't see how this'd be so useful. Aaking about the historic and > current rates of change of use of the various protocol versions would > be good though if people have that, but they may not. > > S. > > > > > > > Please let me know if this will be of use & if you have suggestions for > > improvement. > > > > Thanks, > > Nalini > > > > > > > > > > On Tue, Jul 10, 2018 at 1:51 PM, Stephen Farrell < > stephen.farrell@cs.tcd.ie> > > wrote: > > > >> > >> Hi Nalini, > >> > >> On 10/07/18 04:50, nalini elkins wrote: > >>> It would be nice to see some of this reflected in the draft rather than > >>> only statistics on browsers. The real usage of these protocols is far > >>> more complex. > >> > >> I didn't have time before the I-D cutoff but have since > >> added a section on mail to the repo pre-01 version. (See > >> [1] section 3.2.) I'd love to add more detail like that > >> and/or more sections for other protocols if folks have > >> data to offer with references. > >> > >> Consistent with other folks' numbers sent to the list > >> yesterday, (though based on a much smaller sat of data I > >> guess;-) my data shows 10.6% use of TLSv1.0 when talking > >> SMTP/IMAP/POP (or HTTP) over TLS to a population of ~200K > >> IP addresses that listen on port 25 (mail servers). > >> > >> What I don't currently have is a rate of change for that > >> figure. I think that rate of change is the important number > >> for figuring out what to do in the next while. E.g. The > >> WG might conclude that if the percentage of TLSv1.0 is > >> moving down nicely, we should be a bit patient. If it's > >> not moving at all, we can probably move now or in 5 years > >> without that being different. If we're not sure, then get > >> more data... > >> > >> Cheers, > >> S. > >> > >> [1] > >> https://github.com/sftcd/tls-oldversions-diediedie/blob/mast > >> er/draft-moriarty-tls-oldversions-diediedie.txt > >> > > > > > > > -- Thanks, Nalini Elkins President Enterprise Data Center Operators www.e-dco.com
- Re: [TLS] Fwd: New Version Notification for draft… Stephen Farrell
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Hubert Kario
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Peter Gutmann
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Eric Rescorla
- Re: [TLS] Fwd: New Version Notification for draft… Peter Gutmann
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Eric Rescorla
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Hubert Kario
- [TLS] raising ceiling vs. floor (was: New Version… Viktor Dukhovni
- Re: [TLS] Fwd: New Version Notification for draft… nalini elkins
- Re: [TLS] Fwd: New Version Notification for draft… Martin Thomson
- Re: [TLS] Fwd: New Version Notification for draft… Martin Rex
- Re: [TLS] Fwd: New Version Notification for draft… Eric Rescorla
- Re: [TLS] Fwd: New Version Notification for draft… Eric Rescorla
- [TLS] Fwd: New Version Notification for draft-mor… Kathleen Moriarty
- Re: [TLS] Fwd: New Version Notification for draft… Loganaden Velvindron
- Re: [TLS] Fwd: New Version Notification for draft… Salz, Rich
- Re: [TLS] Fwd: New Version Notification for draft… Salz, Rich
- Re: [TLS] Fwd: New Version Notification for draft… Alessandro Ghedini
- Re: [TLS] Fwd: New Version Notification for draft… Andrei Popov
- Re: [TLS] Fwd: New Version Notification for draft… Eric Mill
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Peter Gutmann
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Viktor Dukhovni
- Re: [TLS] raising ceiling vs. floor (was: New Ver… David Benjamin
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Peter Gutmann
- Re: [TLS] Fwd: New Version Notification for draft… Viktor Dukhovni
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Hubert Kario
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Phil Pennock
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Hubert Kario
- Re: [TLS] Fwd: New Version Notification for draft… Stephen Farrell
- Re: [TLS] [CAUTION] Re: Fwd: New Version Notifica… Martin Rex
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Peter Gutmann
- Re: [TLS] Fwd: New Version Notification for draft… nalini elkins
- Re: [TLS] Fwd: New Version Notification for draft… Stephen Farrell
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Hubert Kario
- Re: [TLS] Fwd: New Version Notification for draft… Eric Rescorla
- Re: [TLS] Fwd: New Version Notification for draft… Salz, Rich
- Re: [TLS] [CAUTION] Re: Fwd: New Version Notifica… Kathleen Moriarty
- Re: [TLS] Fwd: New Version Notification for draft… Kathleen Moriarty
- Re: [TLS] Fwd: New Version Notification for draft… Kathleen Moriarty
- Re: [TLS] Fwd: New Version Notification for draft… David Benjamin
- Re: [TLS] Fwd: New Version Notification for draft… nalini elkins
- Re: [TLS] Fwd: New Version Notification for draft… Eric Rescorla
- Re: [TLS] Fwd: New Version Notification for draft… Stephen Farrell
- Re: [TLS] Fwd: New Version Notification for draft… Christopher Wood
- Re: [TLS] Fwd: New Version Notification for draft… Yaron Sheffer
- Re: [TLS] Fwd: New Version Notification for draft… Hubert Kario
- Re: [TLS] Fwd: New Version Notification for draft… Jeremy Harris
- Re: [TLS] Fwd: New Version Notification for draft… Artyom Gavrichenkov
- Re: [TLS] Fwd: New Version Notification for draft… Stephen Farrell
- Re: [TLS] Fwd: New Version Notification for draft… Artyom Gavrichenkov