
MaxCDN to drop TLS 1.0 (used by 60% of Android users) - feross
https://www.maxcdn.com/blog/rip-tls-1-0/
======
mtmail
Can we remove anything in brackets in the "MaxCDN drops TLS 1.0 (and 60% of
Android users on" title? The article doesn't mention Android. The submitter
should have added that as a comment, preferably with reference, instead.

~~~
feross
It might not be mentioned in the article, but _it is fact_. Android 4.0-4.4
market share is 60%, according to [http://www.appbrain.com/stats/top-android-
sdk-versions](http://www.appbrain.com/stats/top-android-sdk-versions)

~~~
tdondich
Hi feross. Please note that Android 4.4.2 (KitKat) does support TLS 1.2. As
you can see at [http://www.appbrain.com/stats/top-android-sdk-
versions](http://www.appbrain.com/stats/top-android-sdk-versions) (A good
gauge of android distributions), KitKat is the most used Android distribution,
followed by 5.0 (Lollipop). So, the actual percentage you are looking at is
~25%, but that's also for the native Android browser. Note that the API kits
for these versions actually DO support TLS 1.2, when you look at the
documentation for [http://developer.android.com/intl/zh-
cn/reference/javax/net/...](http://developer.android.com/intl/zh-
cn/reference/javax/net/..). , you can see this is supported in SDK 16+ so
custom apps most likely already use TLS 1.1+. Now, we know this is hard. We
know some users will be impacted by this; however, this is how security moves
forward. We will continue to monitor our customers and work with them hand in
hand to make sure the transitions are as smooth as possible.

~~~
tdondich
The support matrix for TLS can be found at:
[https://www.ssllabs.com/ssltest/clients.html](https://www.ssllabs.com/ssltest/clients.html)

------
JohnTHaller
TLS 1.1 support, which MaxCDN will continue to support, was introduced in
Android API 16 which corresponds with Android 4.1 Jelly Bean. Android 4.0 and
below is 3.9% of the Android userbase.

All custom apps have access to (and should be using) TLS 1.1 in Android 4.1
and up. The old Android default browser (which no one should be using) may
have different TLS versions enabled than the underlying OS has available.

------
jdorfman
For the record the plan is to drop support _next week_ (March 18th 2016). We
will be reconsidering this.

~~~
feross
Thanks for reconsidering. I applaude your security mindedness, but this seems
a bit premature.

Do you know what percentage of connections to edge servers are still using TLS
1.0?

~~~
jdorfman
You are welcome. I do not have the percentages available at the moment, but we
will be updating the blog post with those numbers among other things. Will
ping you when I know more.

