[Dylan16807]

Even if all you want is plain HTTP, when HTTPS breaks it's mostly the fault of the device, and the product is still experiencing planned obsolescence caused by the manufacturer. And it would be stupid of a site to allow old versions of TLS, since that compromises the people depending on HTTPS; if there's going to be an insecure access method it should be HTTP.

And don't be so dismissive about privacy. Crypto isn't just for banking.

Also it's not really a capitalism thing, capitalism is too busy trying to sell you an update every 2 years to care about the difference between 8 years and forever.

[cnst]

> Even if all you want is plain HTTP, when HTTPS breaks it's mostly the fault of the device, and the product is still experiencing planned obsolescence caused by the manufacturer.

"Mostly"?! That's quite a stretch! You're attributing direct and explicit actions taken by a specific subset of site operators as caused by the device manufacturer, which it is clearly not!

> And it would be stupid of a site to allow old versions of TLS, since that compromises the people depending on HTTPS; if there's going to be an insecure access method it should be HTTP.

This argument doesn't stand -- if you're running the latest User-Agent software in December 2020, access to pre-TLSv1.2 sites is likely already disabled (or at least it was supposed to have been disabled earlier in 2020 -- did they back out of their own plan all over again?), so, how would the site allowing older versions of TLS at all allow the compromise that you describe to take place? It's simply not possible, because the User-Agent won't allow it!

To the contrary, if thousands of sites that don't actually need crypto wouldn't have been mistakenly made to use crypto since a few years ago, then we could have disabled pre-TLSv1.2 in newer browsers at a much faster rate; whilst still leaving TLSv1.0 support at the server level for the older clients that don't have the newer crypto.

So, ironically, the HTTPS lobby actually shot themselves in the foot by making everyone adopt TLS without any actual need.

> Crypto isn't just for banking.

Yes, sadly, crypto works great for planned device obsolescence, too!

> Also it's not really a capitalism thing, capitalism is too busy trying to sell you an update every 2 years to care about the difference between 8 years and forever.

The evidence appears to show otherwise. Capitalism -- Google, Bing, Amazon -- doesn't care if anyone still uses TLSv1.0; they'll still serve everyone to make a sale. Ironically, it's the non-profits "socialists" -- Wikipedia, Mozilla, EFF -- who (inadvertently?) promote planned device obsolescence by intentionally deprecating all backwards compatibility on the internet.

[Dylan16807]

> "Mostly"?! That's quite a stretch! You're attributing direct and explicit actions taken by a specific subset of site operators as caused by the device manufacturer, which it is clearly not!

The sites disabled those methods because they were no longer secure.

We know that TLS implementations lose security over time.

Anyone locking in a specific implementation and specific certs knows it will stop being fully secure after a while, even in a world where sites try their absolute hardest to be compatible.

So yes, I mostly blame the manufacturer. Sites could allow older ciphers, but to have non-broken HTTP Secure requires the manufacturer to update things.

> if you're running the latest User-Agent software in December 2020, access to pre-TLSv1.2 sites is likely already disabled

It's not the worst plan in the world to wait for clients to forcibly disable old ciphers, but it means that even if all your site's visitors support a new version, they won't all be reliably using it.

Maybe now that browsers can enforce things better, and downgrade attack detection is better, it's safe enough to reenable older ciphers on some servers. But there were good reasons to disable them.

> actual need

All sites should have crypto. No sites "actually need" it if you're willing to work around it hard enough, but all sites should have it.

> The evidence appears to show otherwise. Capitalism -- Google, Bing, Amazon -- doesn't care if anyone still uses TLSv1.0; they'll still serve everyone to make a sale. Ironically, it's the non-profits "socialists" -- Wikipedia, Mozilla, EFF -- who (inadvertently?) promote planned device obsolescence by intentionally deprecating all backwards compatibility on the internet.

Oh, I thought you were saying capitalism causes obsolescence. But now I'm confused. When you said "this also proves the point about capitalism", what was "the point" being proven?

[cnst]

When you start with a premise that all sites MUST have HTTPS and MUST NOT support TLSv1.0 in each argument, then your arguments are simply unsound, because they're based on an incorrect premise, so, the conclusion couldn't possibly follow, because the underlying premise is false and thus cannot support any of your conclusions.

My point about capitalism is exactly that -- capitalism -- Google, Bing, even Amazon (i.e., companies that make the most money from the web) -- show that HTTPS is entirely optional (Google Search and Bing both work over HTTP just fine), and TLSv1.0 provided by the server is just as secure at TLSv1.2-only servers (Google, Microsoft, Amazon).

I can still use any device from the last 20+ years to access both Google Search and Bing. If you intentionally disable your blog from working on such older devices, shifting the blame to device manufacturer is simply ludicrous! All my sites are HTTP-only, so, anyone anywhere can access them, from any device, over any connection (some WiFi via satellite links only allow HTTP-only traffic for free -- I win again), and with any browser. They are not in any way "insecure", either, unlike what the newer browsers might tell you. I can reach as large a variety of visitors as Google and Bing if I simply don't listen to what Mozilla, EFF and Google itself tells me on how to run my website.

[Dylan16807]

According to capitalism it's okay for banks to lose your money and it's your problem for having your identity stolen, go spend a dozen hours to get things fixed. And they won't use secure passwords on their site, and they'll use fake 2-factor, because those incidents don't bother them enough to want to prevent.

So when capitalism says a type of security isn't necessary, well, other than a nihilist "nothing is necessary" attitude, I don't believe them. And it doesn't prove that what a company does is "just as secure" as best practices.

> When you start with a premise that all sites MUST have HTTPS and MUST NOT support TLSv1.0 in each argument, then your arguments are simply unsound, because they're based on an incorrect premise

Whew, good thing I wasn't doing that.

> If you intentionally disable your blog from working on such older devices, shifting the blame to device manufacturer is simply ludicrous!

Let me try to be clear again, since you definitely misread me.

Disabling HTTP is on the site owner.

HTTPS breaking is the manufacturer's fault. The site can influence how it breaks, but no matter what a very old implementation will be broken. At a certain point you can't even get certificates any more because all the roots are expired.

> All my sites are HTTP-only

So you don't want your users to even be able to opt in to privacy or protection from hostile networks?