[danmg]

The part didn't break. Someone who thinks they know better decided to make it not work, and complicated some normal person's life with some security theater.

If a manufacture intentionally made a product they sold you not work, much like how Tesla disables fast charging capriciously, it would be a violation of the Magnuson-Moss Warranty Act.

[cnst]

Exactly! It's so upsetting that the narrative has been so distorted that most folk don't even understand that it's not the manufacturer that intentionally makes the device unusable, but instead the website operators, and those who support and misleadingly advise such operators. The biggest problem is that folks like Mozilla tell everyone to disable TLSv1.0, whilst themselves still supporting it; which shows the biggest case of hypocrisy there could ever be.

Are you aware of any groups working against such planned device obsolescence? My latest gripe on this matter is Wikipedia -- it's beyond absurd that anonymous users can make changes to the contents of pretty much any of the millions of pages, yet getting said pages over pristine networks is conditional on TLSv1.2 support, limiting older devices from even read-only access to Wikipedia for absolutely no good reason.

[Dylan16807]

Crypto keys and algorithms need to be updated or they stop working. Web browsers are full of exploitable bugs that get discovered over time. These are both provable statements. So any manufacturer that locks those in time is practicing planned obsolescence.

[cnst]

But I don't need crypto to read text and watch pictured posted by anonymous users, so, the crypto point is just moot.

You're also missing the context. Why does it matter if someone's browser has exploitable bugs if the only sites they visit are those that are not likely to use such exploits?

So, such planned device obsolescence is conditional on two explicit actions on site owner's side, (1), prohibiting http traffic, (2), prohibiting TLSv1.0 traffic. So, it's 100% site owner's actions that cause the device to become obsolete and make your own site inaccessible. The manufacturer has zero control over the actions of the individual site owners. On the other end of the spectrum, Google, Microsoft, Bing, Amazon, Mozilla, plenty of other businesses, don't intentionally go out of their way to disable both of those things, so, their sites still work -- including through HTTP in case of the search engines. Which manifests as a definitive proof that it's the fault of those other specific sites (like Wikipedia) that take explicit actions to make the older devices obsolete.

P.S. Incidentally, this also proves the point about capitalism -- as a result of misleading propaganda campaigns promoting HTTPS everywhere, most smaller sites are automatically and inadvertently acting as precursors for planned device obsolescence, whereas the big players that need to make the last cent out of every person in the world regardless of how old their device is, or what actions their provider takes against the encrypted traffic, are fully capable of getting exceptions to the PCI compliance or whatnot, and continuing to serve their sites through TLSv1.0 as well as plain old HTTP.

[Dylan16807]

Even if all you want is plain HTTP, when HTTPS breaks it's mostly the fault of the device, and the product is still experiencing planned obsolescence caused by the manufacturer. And it would be stupid of a site to allow old versions of TLS, since that compromises the people depending on HTTPS; if there's going to be an insecure access method it should be HTTP.

And don't be so dismissive about privacy. Crypto isn't just for banking.

Also it's not really a capitalism thing, capitalism is too busy trying to sell you an update every 2 years to care about the difference between 8 years and forever.

[cnst]

> Even if all you want is plain HTTP, when HTTPS breaks it's mostly the fault of the device, and the product is still experiencing planned obsolescence caused by the manufacturer.

"Mostly"?! That's quite a stretch! You're attributing direct and explicit actions taken by a specific subset of site operators as caused by the device manufacturer, which it is clearly not!

> And it would be stupid of a site to allow old versions of TLS, since that compromises the people depending on HTTPS; if there's going to be an insecure access method it should be HTTP.

This argument doesn't stand -- if you're running the latest User-Agent software in December 2020, access to pre-TLSv1.2 sites is likely already disabled (or at least it was supposed to have been disabled earlier in 2020 -- did they back out of their own plan all over again?), so, how would the site allowing older versions of TLS at all allow the compromise that you describe to take place? It's simply not possible, because the User-Agent won't allow it!

To the contrary, if thousands of sites that don't actually need crypto wouldn't have been mistakenly made to use crypto since a few years ago, then we could have disabled pre-TLSv1.2 in newer browsers at a much faster rate; whilst still leaving TLSv1.0 support at the server level for the older clients that don't have the newer crypto.

So, ironically, the HTTPS lobby actually shot themselves in the foot by making everyone adopt TLS without any actual need.

> Crypto isn't just for banking.

Yes, sadly, crypto works great for planned device obsolescence, too!

> Also it's not really a capitalism thing, capitalism is too busy trying to sell you an update every 2 years to care about the difference between 8 years and forever.

The evidence appears to show otherwise. Capitalism -- Google, Bing, Amazon -- doesn't care if anyone still uses TLSv1.0; they'll still serve everyone to make a sale. Ironically, it's the non-profits "socialists" -- Wikipedia, Mozilla, EFF -- who (inadvertently?) promote planned device obsolescence by intentionally deprecating all backwards compatibility on the internet.

[Dylan16807]

> "Mostly"?! That's quite a stretch! You're attributing direct and explicit actions taken by a specific subset of site operators as caused by the device manufacturer, which it is clearly not!

The sites disabled those methods because they were no longer secure.

We know that TLS implementations lose security over time.

Anyone locking in a specific implementation and specific certs knows it will stop being fully secure after a while, even in a world where sites try their absolute hardest to be compatible.

So yes, I mostly blame the manufacturer. Sites could allow older ciphers, but to have non-broken HTTP Secure requires the manufacturer to update things.

> if you're running the latest User-Agent software in December 2020, access to pre-TLSv1.2 sites is likely already disabled

It's not the worst plan in the world to wait for clients to forcibly disable old ciphers, but it means that even if all your site's visitors support a new version, they won't all be reliably using it.

Maybe now that browsers can enforce things better, and downgrade attack detection is better, it's safe enough to reenable older ciphers on some servers. But there were good reasons to disable them.

> actual need

All sites should have crypto. No sites "actually need" it if you're willing to work around it hard enough, but all sites should have it.

> The evidence appears to show otherwise. Capitalism -- Google, Bing, Amazon -- doesn't care if anyone still uses TLSv1.0; they'll still serve everyone to make a sale. Ironically, it's the non-profits "socialists" -- Wikipedia, Mozilla, EFF -- who (inadvertently?) promote planned device obsolescence by intentionally deprecating all backwards compatibility on the internet.

Oh, I thought you were saying capitalism causes obsolescence. But now I'm confused. When you said "this also proves the point about capitalism", what was "the point" being proven?