🇺🇸 Asking Android users: TLSv1.0 & TLSv1.1 are no longer considered secure. But disabling them would lock out devices on Android < 4.4. Would you be affected?

🇩🇪 Frage an Android-Nutzer: TLSv1.0 & TLSv1.1 sind nicht mehr als sicher eingestuft. Deaktivieren würde jedoch heißen, Android < 4.4 auszusperren. Wärt Ihr davon betroffen?

#security #Sicherheit


@IzzyOnDroid not sure what service you are offering, but you could consider setting up two subdomains - service.xyz and insecure-service.xyz
Those that need the old stuff could voluntarily use a different address (if possible in your use case), while the rest could be protected from downgrade attacks by using the old subdomain?

@xpac Thanks for your thoughts! Valid approach, but in this case:

Splitting content isn't an option. I'm asking in general for websites targeting Android users (blogs with how-tos as well as my app listings, my F-Droid repo, my OPDS book server (which can be used from inside eBook reading apps) etc). Content is often mixed (like my app listings and articles applying to different versions) or has no relation to an Android version at all (eBooks).

So it's about "phasing out" old TLS versions altogether.

@IzzyOnDroid yeah, I assumed that. I mean, you could still host the same website under two domains, inform users of very old Androids that they will only be able to access content in the future via a separate subdomain (by adding a reverse proxy with two different configs).
Its difficult and not very handy to use, but better than locking them out.
Do you run statistics to figure out how many of your visitors actually use such old devices?

@xpac That would mean additional administration efforts, which most "webmasters" will be rather not willing to do. I see no urgency yet to change things – but wanted to have a picture on where we stand. Cannot argue one way or the other without facts – though results of my poll might not really be that representative.

Right now it looks like 6% affected, 1/6 of them with no alternatives – nothing I'd like to neglect. But let's see, I might repeat the poll in half a year. Can't keep TLSv1/1.1 forever 😉

@xpac I don't run stats on that, no. But good idea: last week's logs are still there. A quick estimate: on my sites it would affect 0.2% of the requests. Split up: .7% on my eBook Server, .53% on my Android site and .16% on my F-Droid repo.

So yes, the "cold statistician" might say "scrap it, not worth the effort". But to me users are no "numbers", they are people. So if I can help it, I'll keep it up a bit longer. Which I can. Despite the "B rating" with SSLLabs, Observatory gives me A+ still 😛

Sign in to participate in the conversation

chaos.social – a Fediverse instance for & by the Chaos community