On Sun, Aug 20, 2017 at 01:51:16PM +0200, Tollef Fog Heen wrote: > ]] Adrian Bunk >... > > Think of the "TLS 1.2 not working with WPA" discussed earlier here that > > might still affect half a billion active Android devices at the buster > > release date.[1] > > > > The online banking app running on such a device will support TLS 1.2 > > Maybe, maybe not. Depending on how it's implemented, it's non-trivial > to get TLS 1.2 support in there. Just doing HTTP or TLS yourself is > easy enough, but if you want to use a webview, you're at the mercy of > the TLS libs of the OS. >...
TLS 1.1 and 1.2 are supported for client sockets in Android since 2012. TLS 1.1 and 1.2 are enabled by default for client sockets in Android since 2014. In other words: When buster gets released, there will still be few hundred million Android devices in use that do support TLS 1.1 and 1.2 but have it disabled by default. If you are a bank, then using TLS 1.2 in your online banking app is not a problem on these devices. The situation can be less rosy when a user tries to open a link to https://www.debian.org in the default browser. The recent trend of using HTTPS everywhere has the nasty side effect of TLS 1.0 being mandatory for public parts of webservers for as long as users continue to use browsers that don't support anything more recent. Even a bank that might want/have to restrict the online banking part of their website to TLS 1.2 and secure ciphers will still have a huge commercial incentive to support everything no matter how weak for HTTPS access to the public parts of their website where they advertise their services to potential new customers. cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed