It's prohibited from usage by various regulations, like PCI-DSS, so you simple have to turn it off.
There are a few vulnerabilities like CRIME or BEAST with variable impacts, some can be patched. It's very poorly explained so good luck understanding any of that.
There are a few old algorithms that can be decrypted with current computing resources, negating the point of encryption. You have to disable DES, RC4 and NULL.
I personally think the whole TLS 1.0 depreciation is a mess that's very representative of why cyber security is a mess and will never improve. A huge cargo cult telling to turn it off because it's broken, ignoring that it's breaking a lot of clients, and without a single explanation of what's the problems or how to mitigate them.
Funny that you should mention cargo-culting and regulations.
In my experience, much of the cargo-culting is driven by regulations. And a good part of that has been caused by the industries being regulated, as an unfortunate consequence.
Now... I think that warrants an explanation.
Regulations that make sense are often not descriptive - capturing the intent and scope of a rule often requires technical expertise. More than that, it's the type of expertise most organisations do not have. And instead of improving themselves, these companies, who may form the grand majority of the industry, petition the regulators to provide a safe checklist of technical mitigations that can be implemented to remain compliant.
You can probably see where this is going. (I am going to make a wild guess and say that you likely work in the banking industry.) Instead of providing these mitigation checklists as external annexes, they are instead incorporated directly into the regulations themselves.
Regulations always trail reality by a few years -- and in some cases, by decades.[0] The very same checklists that were originally meant to help the smaller players from caving under the regulatory burden are now a drag anchor on entire industries. Instead of doing the right thing and meeting the planned intent, companies are instead ticking nonsensical boxes that the regulators and their auditors demand.
Blindly.
Mindlessly.
Divorced from reality.
And worst of all, unable to improve. Because if you made an improvement that deviates from the historically old, untouched checklist, you would no longer be compliant.
0: Don't ask. I have given a couple of talks on the subject, but refuse to go on record, let alone state the details of my beliefs publicly.
Maybe I should rephrase. I don't mean cargo culting like that. My grip is with (most) security people whose only handling of vulnerabilities is to spread fear mongering and stupid action ASAP, without any explanation of the issue or solution. Long story short, cyber security is a circus.
Turning off TLS 1.0 in 2015 would have cut at least 30% of your user base (internet explorer) and was simply not an option for anybody. If there was an explanation of what is the issue, the impact and how to mitigate, this could have been evaluated and implemented (or not), but it's never been given.
We worked together. You should recognize me really ;)
Regulations are largely fine. You should known from doing the audits. They are usually worded to say that something should follow the generally accepted standards or good practices, without specifying what they are. Either way, it's always fairly easy to delay or argue that whatever you're doing is the right thing.
Thank you for confirming, I was quite certain it was you.
And I do agree with you, within reason: financial industry tech regulation is largely fine. ("Sane") The regulations tend to state the intent of a rule, and may even specify something that clearly is not fine.
More recently I have come across different sets of rules. While it is obvious that these particular regulations have been written with the best intentions in mind, they end up making things worse. Instead of specifying what the goal and the reason for any rule is, they state only The One True Way. Reason has to be inferred, because it is unstated.
Doesn't matter if the truth in The Way may have been induced by bad 'shrooms. Once written down, it's gospel.
> A huge cargo cult telling to turn it off because it's broken, ignoring that it's breaking a lot of clients, and without a single explanation of what's the problems or how to mitigate them.
Yup. Everyone should strive to use 1.2+. But some can't for whatever reason.
What's the harm in keep <1.2 around for the legacy clients (assuming no regulatory stuff) that can't / won't upgrade? Or do we want to turn off the proverbial Internet lights on anyone that doesn't keep up?
There are a few vulnerabilities like CRIME or BEAST with variable impacts, some can be patched. It's very poorly explained so good luck understanding any of that.
There are a few old algorithms that can be decrypted with current computing resources, negating the point of encryption. You have to disable DES, RC4 and NULL.
I personally think the whole TLS 1.0 depreciation is a mess that's very representative of why cyber security is a mess and will never improve. A huge cargo cult telling to turn it off because it's broken, ignoring that it's breaking a lot of clients, and without a single explanation of what's the problems or how to mitigate them.