If you want the increased security and can afford so, by all means use it.

If you cannot afford the increased security, I guess the response is to just bugger off...  we don't need your kind?



-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com


From: "Matt Harris" <matt@netfire.net>
To: "Matt Hoppes" <mattlists@rivervalleyinternet.net>
Cc: "Constantine A. Murenin" <mureninc@gmail.com>, "North American Network Operators' Group" <nanog@nanog.org>
Sent: Tuesday, December 31, 2019 10:02:26 AM
Subject: Re: Wikipedia drops support for old Android smartphones; mandates TLSv1.2 to read

On Tue, Dec 31, 2019 at 2:30 AM Matt Hoppes <mattlists@rivervalleyinternet.net> wrote:
Why do I need Wikipedia SSLed?  I know the argument. But if it doesn’t work why not either let it fall back to 1.0 or to HTTP.

This seems like security for no valid reason.

Being able to authenticate that the content you've requested is coming from the source from which you requested it seems like a pretty valid reason to me. If you live in a privileged nation with democratic governance, and you have ISP choice and your ISP doesn't and won't hijack your connections and you're not otherwise in an environment where your connections may be hijacked for any number of reasons by any number of parties, then you may not think about this very much. Employing the best (popular, well-supported, well-documented, completely open) current standard, TLS 1.2, instead of supporting deprecated, known-flawed previous versions of that protocol also seems like an entirely reasonable idea, too. 

If you don't like that this potentially disenfranchises users of old devices (and there's perhaps a case to be made here), then the ire should be imho directed towards the device vendors for not issuing security updates for whatever version you wish were able to support modern technology. Not at free web-based services for ending support for deprecated, known-flawed protocols/ciphers/etc. If google wanted to issue an update for older android versions to support TLS1.2 then they absolutely could, though users may see some detrimental performance impact to using modern technology on an outdated device. 

This isn't a new issue, and we as the greater internet community have generally tackled it by taking aggressive measures towards deprecating known-flawed technologies on a conservative timeline. 

RFC5246 was published over a decade ago. 

- mdh