Poutnik wrote:
> The CIO decision was to put some of such patches
> on hold for several months,
> as sideeffects were evaluated more affecting than eventual risk.
I noticed after the spate of announcements regarding use of weak ciphers
and then later of patches to remove those weak (export) ciphers (along
with an update to schannel) that a lot of HTTPS sites won't work if you
disable TLS 1.0.
Starting with all SSL encryption schemes disabled in IE and with all TLS
scheme enabled, I decided to see how many of my Favories would fail when
TLS 1.0 was disabled.
All SSL disabled (2.0, 3.0), all TLS enabled:
All my Favorites sites still worked.
All SSL disabled, TLS 1.0 disabled:
Starting seeing some sites to which I could not connect.
All SSL disabled, TLS 1.0 and 1.1 disabled (just TLS 1.2 enabled):
Lots more sites wouldn't let me connect.
So as I removed older cipher schemes, more sites failed.
https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0
(can downgrade to SSL)
Sites have been slow to adopt TLS 1.1 and 1.2. The patches removed the
weak ciphers. It did not affect the encryption protocol used to
establish a session. So TLS aka SSL is still used many places.
I did another test of my Favorites (250 of them) to find which ones
would fail to connect if TLS 1.0 was disabled (SSL, all versions, is
always disabled). The list is shorter this time. Obviously this is not
representative of the percentage of sites that still require TLS 1.0
since a Favorites list is skewed to the bias of the user saving those
URL shortcuts.
https://admin.uribl.com/
https://www.minnesotaworks.net/
http://www.sba.gov/
https://technet.microsoft.com/
http://www.microsoft.com/events/
http://support.microsoft.com/default.aspx?scid=fh;EN-US;pwebcst
http://www.microsoft.com/windows2000/techinfo/proddoc/default.asp
http://www.ripe.net/perl/whois
http://msdn.microsoft.com/
http://www.microsoft.com/whdc/Devtools/wdk/default.mspx
http://www.microsoft.com/technet/scriptcenter/hubs/msh.mspx
http://www.virusbtn.com/
https://submit.symantec.com/antifraud/phish.cgi
http://www.transferbigfiles.com/
Yes, some URLs are HTTP instead of HTTPS. They redirect from HTTP to an
HTTPS page. That means the HTTPS to which they redirect will not work
if TLS 1.0 is disabled. Last time I checked all my Favorites with TLS
1.0 disabled, this list was a lot longer (I think it was 25). Looks
like some of the sites have updated to TLS 1.1 or 1.2. Notably some
Microsoft HTTPS pages still require TLS 1.0. Alas, there are sites that
still require SSL.
Removing the weak ciphers was one way to fix the problem. Disabling TLS
1.0 (i.e., TLS 1.1 was the minimum enabled) so it couldn't downgrade to
SSL 3 which would use the weak ciphers was another method. Too bad we
are still stuck leaving TLS 1.0 for a huge chunk of web sites that still
require that encryption scheme.
http://blogs.msdn.com/b/kaushal/archive/2011/10/02/10218922.aspx
(dated 2011)
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
|