|
| From: | Paul Eggert |
| Subject: | Re: Deprecate TLS1.0 support in emacs |
| Date: | Tue, 1 Aug 2017 07:45:36 -0700 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 |
Lars Ingebrigtsen wrote:
it's premature to warn about things like TLS1.0 in an intrusive manner. There's too many sites out there that still use that protocol, and warning too much is no help for our users
Last year I would have agreed, but nowadays I think it'd be better to warn about TLS 1.0 somehow. According to https://www.ssllabs.com/ssl-pulse/ from July 2016 to July 2017 TLS v1.2 support climbed from 78.3% to 87.3%, whereas support for TLS v1.0 dropped from 97.3% to to 93.4% as the higher-end sites tighten up security. By the time the next version of Emacs comes out, it looks like a mild warning about TLS v1.0 will be appropriate.
For what it's worth, I surf the web mostly via Firefox configured to use only TLS v1.1 or higher, which is stricter than what's being proposed for Emacs. Only once in the last month did I run into problems with this - it was an older internal UCLA website that hadn't been upgraded, and which upgraded immediately after I notified its administrators. So at least for me, a warning from Emacs would have been more helpful, had I been using Emacs.
| [Prev in Thread] | Current Thread | [Next in Thread] |