On Fri, Aug 18, 2017 at 10:07:49PM +0200, Tollef Fog Heen wrote: > ]] Adrian Bunk >... > The PCI consortium extended the deadline until June > 2018. Assuming that deadline holds, people with older machines will not > be able to access services such as online banking or pay online in > general.
That's wrong. Think of the "TLS 1.2 not working with WPA" discussed earlier here that might still affect half a billion active Android devices at the buster release date.[1] The online banking app running on such a device will support TLS 1.2 The PayPal app currently requires Android >= 4.0.3, released in 2011. > ... but they're pragmatic. > As they write in their press release: “…in the field a lot of business > issues surfaced…” said Stephen Orfei, General Manager, PCI SSC. “We want > merchants protected against data theft but not at the expense of turning > away business, ... Corollary: It is permitted to run your online banking app on an Android device with a 5 year old firmware with no security updates ever available. >... > to make sure any users on platforms where support for that is > lacking get a proper notification and a chance to move to something > newer. >... Imagine Debian running on the AP providing the WiFi for a Cafe. What you are saying is that the staff working at the Cafe should explain to their customers that they have to buy a new phone if they want to use the WiFi. cu Adrian [1] I haven't investigated how widespread this specific problem actually is, or whether it can be mitigated - the point is that it is unrelated to TLS versions supported by PayPal or online banking apps running on the device -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed