Web lists-archives.com

Re: openssl/libssl1 in Debian now blocks offlineimap?




Excerpts from Tollef Fog Heen's message of 2017-08-18 22:07:49 +0200:
> ]] Adrian Bunk 
> 
> > Or did this start as a coordinated effort of several major Linux
> > distributions covering all TLS implementations?
> 
> While not speaking for Kurt, there's been a move towards getting rid of
> TLS < 1.2 for quite some time, by reasonably important players such as
> the PCI-DSS consortium which announced in 2015 that June 2016 would be
> the deadline for disabling older TLS versions.  As we all know, we're
> past that date now, and TLS < 1.2 is still around and entirely too
> well-supported.  The PCI consortium extended the deadline until June
> 2018.  Assuming that deadline holds, people with older machines will not
> be able to access services such as online banking or pay online in
> general.
> 
> I'm hoping they won't extend the deadline again, but they're pragmatic.
> As they write in their press release: “…in the field a lot of business
> issues surfaced…” said Stephen Orfei, General Manager, PCI SSC. “We want
> merchants protected against data theft but not at the expense of turning
> away business, so we changed the date.”
> 
> > Nothing that Debian does alone will have any measurable impact
> > on TLS 1.0 usage.
> 
> I think you're wrong on this point, having Debian make this change makes
> it a lot easier for me to go to company management and explain that TLS
> v1.2 is the only way forward and that we need to spend engineering
> resources to make sure any users on platforms where support for that is
> lacking get a proper notification and a chance to move to something
> newer.  «We need to do this because this change is coming, whether we
> want it or not.»
> 

Businesses assess risk on every level as part of operating a business. If
replacing Debian is cheaper than replacing whatever requires TLS 1.0,
some companies will absolutely choose the former.

It may not be wise to make business people choose between Debian and
money.