Re: Re: Improved TLS Defaults
Hi Daniel,
On 29 January 2014 19:10, Daniel Lowrey <[email protected]> wrote:
> Hello internals!
>
> I've added a major new section to the Improved TLS Defaults RFC which can
> be found here:
>
> https://wiki.php.net/rfc/improved-tls-defaults#stream_wrapper_creep
>
> I was initially hesitant to include these changes in the RFC because they
> have no BC implications. However, upon further contemplation I think the
> proposed deprecations in the new "Stream Wrapper Creep" section are
> important to incorporate as part of the larger theme of improving the
> default level of TLS security in 5.6. In my opinion it's only sensible to
> apply as many TLS improvements as possible in one release instead of
> stringing them out across multiples.
>
Here's a good recent study on SSL/TLS use in the Alexa Top 1,000,000 sites:
https://jve.linuxwall.info/blog/index.php?post/TLS_Survey
What I took away from it was that SSLv2 was exclusively used by only 38
sites (so time for that to go in line with everyone else out there!). SSLv3
has an exclusive use rate of just under 1%. These are likely holdouts that
will fade in time, but a 1% rate isn't quite to the point of extinction. I
think we should hold off on throwing errors until v3 drops to a more
negligible level. The current supported range on Firefox, for example, has
a minimum of SSLv3. Yes, this is hardly paradise, but so long as we're
negotiated from TLS 1.2 down (presumably the case at present!) then we
should let users accept the risk for SSLv3 only sites without kicking up
too much of a fuss for now.
SSLv2 - nuke it :P
Paddy
--
Pádraic Brady
http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative
Thread (19 messages)