On Tue, Dec 31, 2019 at 7:46 AM Matt Harris <matt@netfire.net> wrote:

On Tue, Dec 31, 2019 at 10:34 AM Royce Williams <royce@techsolvency.com> wrote:
On Tue, Dec 31, 2019 at 7:17 AM Matt Harris <matt@netfire.net> wrote:

The better solution here isn't to continue to support known-flawed protocols, which perhaps puts those same populations you're referring to here at greatest risk, but rather to enable access to open technologies for those populations which ensures that they can continue to receive security updates from a vendor that doesn't have a big financial motive to deprecate devices and force users to purchase upgraded hardware instead of just receiving security updates to their existing devices. 

Unfortunately, this is the high-tech privilege equivalent of saying "let them eat cake" - because of upgrade friction on mobile in under-resources areas (including, I might add, specific sub-populations of US consumers!)

Perhaps more unfortunately, the other option - to continue supporting known-flawed protocols - is simply saying "let them be victimized." 

With the rise of state-level disinformation at scale, I see your point.
 
Accepting that we should instead support technologies that place those very same populations at risk is coming from a place of privilege for the reasons I mentioned previously: you live somewhere with relatively peaceful/democratic governance, usually have at least some ISP choice, and are likely not otherwise under the thumb of an oppressive regime at some level of another - so when your browser makes a TLS1.0 connection, you probably don't even think about it, much less worry about it, because you don't have to. The populations we're discussing here, on the other hand, all too often do. 

What it comes down to is a question of whether we want to solve what we know today is a real problem or let it fester until abuse reaches an untenable level in some big, news-headline-making way. One way we can combat this specific issue is to make open technologies accessible. But that requires major investment on our side of the world, and prior attempts to do so (Ubuntu's open source phone OS for example) have largely been commercial flops. 

Indeed. Though a non-commercial (grass-roots, sponsored, or legislative) solution seems similarly unlikely.

Royce