Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:71764 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 11559 invoked from network); 30 Jan 2014 00:16:39 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Jan 2014 00:16:39 -0000 Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.175 as permitted sender) X-PHP-List-Original-Sender: padraic.brady@gmail.com X-Host-Fingerprint: 209.85.160.175 mail-yk0-f175.google.com Received: from [209.85.160.175] ([209.85.160.175:44389] helo=mail-yk0-f175.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F3/6A-52228-3E999E25 for ; Wed, 29 Jan 2014 19:16:35 -0500 Received: by mail-yk0-f175.google.com with SMTP id q200so12604762ykb.6 for ; Wed, 29 Jan 2014 16:16:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=1/TPWIB5fwxH0rvWrLce3CVF5tmB+whlJ3hMZUOI/f8=; b=sDCzt3GUty2FEheMZf2dHeYLvOi+GorqSbcWJJxQB0QN7m+wziceZ5uGysUQujmBBP GthHZDyd4LhJw4g3RRmlodgAvROn3P4MEtj/FAYuOBVeWCtVgq8cBUcn0SZ+Bf9HXj95 1Wakxug8qv1m+qTzwdo3RZEjSruZ7pogsSVvMksYr0OKCgPwXHSbiB+PKtNl7oRzQWs2 p0bE1hawoHCScZLbWp7HutXrkCA72YW6iIZbICQuEsqsnP//JXR+2DJJ3nB8+OI0SFE6 YE28jTM/UuIpjQEVBepIOPlkA21bRo8Xdvx6xT3UOHuMMeVaogR1vZ8HXiilM8gbPzga VAvA== MIME-Version: 1.0 X-Received: by 10.236.222.231 with SMTP id t97mr8572yhp.125.1391040992638; Wed, 29 Jan 2014 16:16:32 -0800 (PST) Received: by 10.170.215.130 with HTTP; Wed, 29 Jan 2014 16:16:32 -0800 (PST) In-Reply-To: References: Date: Thu, 30 Jan 2014 00:16:32 +0000 Message-ID: To: Daniel Lowrey Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11c2009e3bfe1604f124f854 Subject: Re: [PHP-DEV] Re: Improved TLS Defaults From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=) --001a11c2009e3bfe1604f124f854 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Daniel, On 29 January 2014 19:10, Daniel Lowrey wrote: > Hello internals! > > I've added a major new section to the Improved TLS Defaults RFC which can > be found here: > > https://wiki.php.net/rfc/improved-tls-defaults#stream_wrapper_creep > > I was initially hesitant to include these changes in the RFC because they > have no BC implications. However, upon further contemplation I think the > proposed deprecations in the new "Stream Wrapper Creep" section are > important to incorporate as part of the larger theme of improving the > default level of TLS security in 5.6. In my opinion it's only sensible to > apply as many TLS improvements as possible in one release instead of > stringing them out across multiples. > Here's a good recent study on SSL/TLS use in the Alexa Top 1,000,000 sites: https://jve.linuxwall.info/blog/index.php?post/TLS_Survey What I took away from it was that SSLv2 was exclusively used by only 38 sites (so time for that to go in line with everyone else out there!). SSLv3 has an exclusive use rate of just under 1%. These are likely holdouts that will fade in time, but a 1% rate isn't quite to the point of extinction. I think we should hold off on throwing errors until v3 drops to a more negligible level. The current supported range on Firefox, for example, has a minimum of SSLv3. Yes, this is hardly paradise, but so long as we're negotiated from TLS 1.2 down (presumably the case at present!) then we should let users accept the risk for SSLv3 only sites without kicking up too much of a fuss for now. SSLv2 - nuke it :P Paddy -- P=C3=A1draic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com Zend Framework Community Review Team Zend Framework PHP-FIG Representative --001a11c2009e3bfe1604f124f854--