On 13 Oct 2018, at 0:33, Bill Cole wrote:
TLSv1.0 with decent ciphers is unequivocally better than cleartext
transport, and most people do not have email worth the effort of
cracking TLSv1.0 to anyone capable of doing so.
CLARIFYING:
There's nothing (yet) known that makes all implementations and useful
configurations of TLSv1.0 vulnerable to a sufficiently motivated,
skilled, and resourced attacker. The risk is that if you choose to
support TLSv1.0 to accommodate bozos, you may find yourself forced to
accommodate vulnerable implementations and configurations (e.g. CBC mode
ciphers, vulnerable types of renegotiation) and forego some stronger
ciphersuites for TLSv1.0 sessions. Every TLSv1.0 session isn't
vulnerable today, maybe none that you allow are, and maybe recorded
sessions won't be any more vulnerable in a decade. However, a session
using TLSv1.3 with a stronger ciphersuite than TLSv1.0 supports carries
a lower risk in those 'maybes.'
--
Bill Cole
