sslscan
sslscan copied to clipboard
rbsec
TLS1.1 display to yellow
I did some research on this, and found that the major browsers announced their intention to deprecate TLSv1.1 back in October 2018 (see blog entries from Google, Microsoft, and Apple). Google Chrome already blocks TLS v1.1 connections as of March 2020, and Microsoft Edge will follow suit in Spring 2021.
Here's a quote from Microsoft's blog that explains the rationale:
While we aren’t aware of significant vulnerabilities with our up-to-date implementations of TLS 1.0 and TLS 1.1, vulnerable third-party implementations do exist. Moving to newer versions helps ensure a more secure Web for everyone. Additionally, we expect the IETF to formally deprecate TLS 1.0 and 1.1 later this year, at which point protocol vulnerabilities in these versions will no longer be addressed by the IETF.
Here's the IETF draft document that deprecates TLS v1.0 and v1.1: https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-11.
@rbsec: Shall we add "display TLSv1.1 in yellow" to the todo list?
@jtesta TLS 1.1 often seems like a pointless protocol to support, because it's very rare to find anything that supports it and doesn't also support 1.2. However, with the lack of any real security vulnerabilities in it, it's a little trickier to justify warning about it.
Looking at the status of that IETF document, it looks like it's undergone most of the reviews and is in the "Submitted to IESG for Publication" state. I'm not too familiar with their process - but I imagine that this means it's fairly near to publication. I wonder if it's worth waiting until they actually publish it?
On the other hand, with browsers dropping support and the deprecation expected soon, that seems like a reasonable argument to do it now. Although it's probably worth making this kind of change at the same time as the ones discussed in #225, so we're doing it all at the same time.
Fully deprecated: March 2021 https://datatracker.ietf.org/doc/rfc8996/
