Reply to post: Re: “unlikely event that admins have neglected to upgrade web servers”

These truly are the end times for TLS 1.0, 1.1: Firefox hopes to 'eradicate' weak HTTPS standard by blocking it

Loyal Commenter Silver badge

Re: “unlikely event that admins have neglected to upgrade web servers”

If your hardware uses TLS 1.1 (or worse TLS 1.0, or even SSL3) and they haven't provided a firmware upgrade to fix it (and it is a fix, because those are vulnerabilities) then you should seriously be considering replacing that hardware, especially if it is in an enterprise environment. Attacks can, and do, come from within the corporate environment, and if you're using unsupported gear (such as switches, firewall devices, et al) then you have a vulnerability that should be fixed. End of.

Going from memory, the vulnerability in TLS 1.1 is currently theoretical, but could become a real threat in 5-10 years, the flaw in TLS 1.0 is exploitable by a determined attacker to e.g. hijack SSL sessions, and SSL3 is practically exploitable with a RaspPi.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022