
TLS stats from 1.6B connections to mozilla.org - jgrahamc
https://jve.linuxwall.info/blog/index.php?post/2016/08/04/TLS-stats-from-1.6-billion-connections-to-mozilla.org
======
NeutronBoy
_> The stat I was most curious about is in 9th position: SSLv3 with DES-
CBC3-SHA, which accounts for 0.2% of the traffic, is a signature from Windows
XP pre-sp3 clients, when SChannel didn't support TLSv1 or AES. 0.2% may seem
insignificant, unless you're one of these users and the only way you will
browse the internet is by first downloading Firefox from mozilla.org._

It's an interesting problem - do you disable insecure/depreciated cipher
suites, with the rationale it's an insecure method to download Firefox,
knowing that it's people using outdated OSs trying to get Firefox and have no
alternative?

\- If you disable it, these people won't have any channel to get Firefox on
their machine, and arguably be less safe when browsing the internet.

\- If you leave it enabled, these people are still vulnerable at (arguably)
the most vulnerable point (obtaining a new browser), but then being less
vulnerable going forward.

------
marcosluis
This is an amazing resource, John. Julien made an incredible work on this
post. This kind of research supports my decision as a Product Manager in my
company to use only TLS 1.2 support for all products under my belt.

------
mieko
This is awesome. A few days ago I posted this question at the Qualys SSLLabs
forum:

"Is there a reason for still having TLSv1.1 enabled?"
[https://community.qualys.com/thread/16565](https://community.qualys.com/thread/16565)

Considering SSLv3 has been "dead" for a while now, and it still completes more
handshakes than TLSv1.1, there's really no reason to keep TLSv1.1 around for
most sites without very particular concerns. (But we're still holding on to
TLSv1.0 until it's in the few-percent range.)

------
jmiserez
> _Mozilla.org is an excellent target to evaluate client diversity because it
> receives traffic from all sorts of devices from all over the world. It 's
> not an opinionated site that only certain type of people would visit. It's
> not region or language specific (the site supports dozens of languages). And
> it's the main entry point to download Firefox._

Is that really true? I would have guessed that people visiting mozilla.org
either have or want Firefox, or at least have an interest in technology. Also,
probably the percentage of desktop users vs. mobile is much higher for
mozilla.org than for Facebook or Google?

