[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: openssl/libssl1 in Debian now blocks offlineimap?

On Sun, Aug 20, 2017 at 01:51:16PM +0200, Tollef Fog Heen wrote:
> ]] Adrian Bunk 
> > Think of the "TLS 1.2 not working with WPA" discussed earlier here that 
> > might still affect half a billion active Android devices at the buster
> > release date.[1]
> > 
> > The online banking app running on such a device will support TLS 1.2
> Maybe, maybe not.  Depending on how it's implemented, it's non-trivial
> to get TLS 1.2 support in there.  Just doing HTTP or TLS yourself is
> easy enough, but if you want to use a webview, you're at the mercy of
> the TLS libs of the OS.

TLS 1.1 and 1.2 are supported for client sockets
in Android since 2012.

TLS 1.1 and 1.2 are enabled by default for client sockets
in Android since 2014.

In other words:
When buster gets released, there will still be few hundred million 
Android devices in use that do support TLS 1.1 and 1.2 but have it 
disabled by default.

If you are a bank, then using TLS 1.2 in your online banking app
is not a problem on these devices.

The situation can be less rosy when a user tries to open a link to
https://www.debian.org in the default browser.

The recent trend of using HTTPS everywhere has the nasty side effect of 
TLS 1.0 being mandatory for public parts of webservers for as long as 
users continue to use browsers that don't support anything more recent.

Even a bank that might want/have to restrict the online banking part of 
their website to TLS 1.2 and secure ciphers will still have a huge 
commercial incentive to support everything no matter how weak for HTTPS
access to the public parts of their website where they advertise their 
services to potential new customers.



       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply to: