[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Deprecate TLS1.0 support in emacs

From: Paul Eggert
Subject: Re: Deprecate TLS1.0 support in emacs
Date: Tue, 1 Aug 2017 07:45:36 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1

Lars Ingebrigtsen wrote:
it's premature to warn about
things like TLS1.0 in an intrusive manner.  There's too many sites out
there that still use that protocol, and warning too much is no help for
our users

Last year I would have agreed, but nowadays I think it'd be better to warn about TLS 1.0 somehow. According to https://www.ssllabs.com/ssl-pulse/ from July 2016 to July 2017 TLS v1.2 support climbed from 78.3% to 87.3%, whereas support for TLS v1.0 dropped from 97.3% to to 93.4% as the higher-end sites tighten up security. By the time the next version of Emacs comes out, it looks like a mild warning about TLS v1.0 will be appropriate.

For what it's worth, I surf the web mostly via Firefox configured to use only TLS v1.1 or higher, which is stricter than what's being proposed for Emacs. Only once in the last month did I run into problems with this - it was an older internal UCLA website that hadn't been upgraded, and which upgraded immediately after I notified its administrators. So at least for me, a warning from Emacs would have been more helpful, had I been using Emacs.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]