The biggest benefit to dropping TLS 1.0 and 1.1 is that modern AEAD ciphers are only supported by TLS 1.2 and above. In TLS 1.0 your only options are the hilariously-broken RC4 or block ciphers in CBC mode, which is a perennial source of padding oracles (several new ones were just discovered earlier this year[1]). By setting TLS 1.2 as your minimum you can also require the use of AEAD ciphers as Mozilla's new guidelines recommend. (In theory you could support different ciphers with different TLS versions but I don't know how many people did that in practice.)
The Wikimedia Foundation has a dashboard showing TLS statistics for their services[2]. As they run one of the most popular websites on the Internet I think this data can be considered to be representative of clients on the public web. That dashboard shows 99+% of connections use TLS 1.2 and only 0.5% of TLS 1.2 connections use non-AEAD ciphers. Now, for someone operating at the scale of the Wikimedia Foundation dropping TLS 1.0 and 1.1 is probably not a good idea right now, but for smaller sites (particularly sites that are non-commercial/non-monetary in nature) it should be just fine.
Servers have already been dropping TLS 1.0 support for years now. According to SSL Pulse[3] only 67% of servers support TLS 1.0 compared to 95% support for TLS 1.2. At its peak, TLS 1.0 support was at 99%. If you want to continue using ancient software with the modern Internet you should probably use a modern proxy server anyways just due to the sheer number of security fixes your old software's TLS implementation will be missing.
In my case, the problem is not browsers but vendor-provided enterprise tools. When HTTP became the “new tcp”, all sorts of things started using it behind the scenes. Eventually someone added support for ssl/tls, but now we have to wait for $vendor to support any protocol upgrade.
> The biggest benefit to dropping TLS 1.0 and 1.1 is that modern AEAD ciphers are only supported by TLS 1.2 and above.
Great. And that's a good reason to use a client that support 1.2. But what's so bad about keeping 1.0 and 1.1 around?
If I'm running a client that only supports <1.2, how does mandating only 1.2+ help me? If a client supports 1.2+, then it will use it anyway.
I understand supporting 1.2+, and everyone should have their server offer it. But what's the advantage of dropping 1.0 and 1.1? I'm just leaving those folks are may be stuck with older clients twisting in the wind with no service whatsoever.
As I said the alternatives to AEADs have well-known security issues that AEADs are immune to by design. Keeping 1.0 and 1.1 around requires keeping CBC ciphers around and all the workarounds and careful design required to avoid exposing padding oracles using them, and requires keeping your software patched as new vulnerabilities from those oracles are discovered. Eliminating TLS 1.0 and 1.1 will meaningfully improve the overall security of the TLS ecosystem. Also, you didn't address my point about using a proxy server which should let you keep using your ancient software. (Also also, it looks like that's Mac software from 2007, will it continue working after Apple drops 32-bit support?)
The Wikimedia Foundation has a dashboard showing TLS statistics for their services[2]. As they run one of the most popular websites on the Internet I think this data can be considered to be representative of clients on the public web. That dashboard shows 99+% of connections use TLS 1.2 and only 0.5% of TLS 1.2 connections use non-AEAD ciphers. Now, for someone operating at the scale of the Wikimedia Foundation dropping TLS 1.0 and 1.1 is probably not a good idea right now, but for smaller sites (particularly sites that are non-commercial/non-monetary in nature) it should be just fine.
Servers have already been dropping TLS 1.0 support for years now. According to SSL Pulse[3] only 67% of servers support TLS 1.0 compared to 95% support for TLS 1.2. At its peak, TLS 1.0 support was at 99%. If you want to continue using ancient software with the modern Internet you should probably use a modern proxy server anyways just due to the sheer number of security fixes your old software's TLS implementation will be missing.
[1] https://blog.qualys.com/technology/2019/04/22/zombie-poodle-...
[2] https://grafana.wikimedia.org/d/000000458/tls-ciphersuite-ex...
[3] https://www.ssllabs.com/ssl-pulse/