Getting grasp of TLS versions
All major browsers and major service providers seem to be deprecating TLS 1.0/1.1 this year. It's a good move. TLS1.2 has been supported quite many years already in most platforms, and both TLS1.0 and 1.1 have their big weaknesses.
But what is the truth about usage percentages? If I want to disable the ancient TLS versions in my webgizmo, how many customers I will lose?
First of all you need to describe your customer base. Just because, it depends. If you are creating a service for small amount of general tech savvy users, it's totally different situation than if your service will be global and users from all around the globe and all around the technological knowledge steps.
So, as I wrote in the previous posts [links at the end of this post], I had one service where the customer wanted data about the actual situation. Which is not a bad idea, not bad at all. Data is always good, oh so good.
Some specs about the service.
0,1% of those unique clients IPs was using TLS1.0. And one client was using 1.1, but based on the bit weird user agent string and IP it was most probably some kind of scanning service, because IP belongs to AWS.
0,1% is not much, at least I think so in this case.
Inside of the 0,1% user base we'll find the following client devices/systems. Various Android 4.4 tablets, some most probably scanning/monitoring services and even a couple of Windows XP users.
At least if we believe the user agent strings. And why shouldn't we?? ;)
This data was enough to convince our project team, but now we need to convince also the customer....
Part 2: https://ragolsec.blogspot.com/2020/01/iis-logs-and-elk-stack.html
Part 1: https://ragolsec.blogspot.com/2019/12/win2012r2-iis-85-and-logging-client.html
But what is the truth about usage percentages? If I want to disable the ancient TLS versions in my webgizmo, how many customers I will lose?
First of all you need to describe your customer base. Just because, it depends. If you are creating a service for small amount of general tech savvy users, it's totally different situation than if your service will be global and users from all around the globe and all around the technological knowledge steps.
So, as I wrote in the previous posts [links at the end of this post], I had one service where the customer wanted data about the actual situation. Which is not a bad idea, not bad at all. Data is always good, oh so good.
Some specs about the service.
- National service, not global
- Mostly home users, but some will access it "from the office"
- Mobile users
- User base adults, but no technological knowledge "requirements"
0,1% of those unique clients IPs was using TLS1.0. And one client was using 1.1, but based on the bit weird user agent string and IP it was most probably some kind of scanning service, because IP belongs to AWS.
0,1% is not much, at least I think so in this case.
Inside of the 0,1% user base we'll find the following client devices/systems. Various Android 4.4 tablets, some most probably scanning/monitoring services and even a couple of Windows XP users.
At least if we believe the user agent strings. And why shouldn't we?? ;)
This data was enough to convince our project team, but now we need to convince also the customer....
Part 2: https://ragolsec.blogspot.com/2020/01/iis-logs-and-elk-stack.html
Part 1: https://ragolsec.blogspot.com/2019/12/win2012r2-iis-85-and-logging-client.html
Comments
Post a Comment