🇺🇸 Asking Android users: TLSv1.0 & TLSv1.1 are no longer considered secure. But disabling them would lock out devices on Android < 4.4. Would you be affected?
🇩🇪 Frage an Android-Nutzer: TLSv1.0 & TLSv1.1 sind nicht mehr als sicher eingestuft. Deaktivieren würde jedoch heißen, Android < 4.4 auszusperren. Wärt Ihr davon betroffen?
@IzzyOnDroid not sure what service you are offering, but you could consider setting up two subdomains - service.xyz and insecure-service.xyz
Those that need the old stuff could voluntarily use a different address (if possible in your use case), while the rest could be protected from downgrade attacks by using the old subdomain?
@xpac Thanks for your thoughts! Valid approach, but in this case:
Splitting content isn't an option. I'm asking in general for websites targeting Android users (blogs with how-tos as well as my app listings, my F-Droid repo, my OPDS book server (which can be used from inside eBook reading apps) etc). Content is often mixed (like my app listings and articles applying to different versions) or has no relation to an Android version at all (eBooks).
So it's about "phasing out" old TLS versions altogether.
@xpac That would mean additional administration efforts, which most "webmasters" will be rather not willing to do. I see no urgency yet to change things – but wanted to have a picture on where we stand. Cannot argue one way or the other without facts – though results of my poll might not really be that representative.
Right now it looks like 6% affected, 1/6 of them with no alternatives – nothing I'd like to neglect. But let's see, I might repeat the poll in half a year. Can't keep TLSv1/1.1 forever 😉
This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!