[GeneticGenesis]

I work in the video streaming industry, and we continue to support TLS 1.1 extensively for a wide range of "smart" TVs and set-top boxes, very frustrating, there was even a long period where large CDNs were trying to shut down 1.1 and realised they'd lose a lot of business in the streaming space if they did...

[elithrar]

Customers regularly ask us whether we support TLS 1.0 and 1.1 for this very reason. We do, and support policies to raise the min version, but that’s not the default.

Smart TVs and many streaming boxes often ship with vendored libcurl/OpenSSL/other libraries that are already years old when the device itself is new. It is frustrating and insecure, but cutting these users out isn’t a clear solution either.

[koheripbal]

...then again, I imagine the security of me streaming Resident Alien on my Roku isn't really a big concern for me.

hmm... unless my Amazon credential handshake is in that?

[rakoo]

It's not an issue, until someone finds a way to mitm the request, send a special payload to your Roku that is then opened by an unpatched ffmpeg (https://www.linuxcompatible.org/story/asa2020074-ffmpeg-arbi...) that allows an RCE and turn your Resident Alien into a Resident Zombie.

[elithrar]

Your credentials might go to a different endpoint, but the device is still limited in its TLS support as a client.

The attacks aren’t entirely practical, and the threat model for “someone cares enough to MitM my streaming connection” isn’t a common one, but it’s much closer to practical compared to attacks on TLS 1.2 & 1.3.

[Sohcahtoa82]

Possibly.

But it's not like the attacks on TLS 1.0 and 1.1 are trivial. To successfully break a single encrypted connection requires massive server farms.

The people actually attempting to maliciously break TLS handshakes are working on much bigger targets.

[oytis]

But if these smart TVs are connected, they can also be updated, right?

[verytrivial]

I know [edit: guessing] you're not being serious, but until there are laws mandating this in given markets, the security risks will ALWAYS be unknowingly carried by the consumer. In a hypothetical world where a manufacturer differentiates by advertising a product as "Now with security updates guarenteed for 10 years!" consumers will suddenly realise they've been sold garbage until that point. It just won't happen.

[spacemanmatt]

Without a promised based on source code escrow, it's just not worth anything to me. I VERY much support this sort of thing, though.

[jiggawatts]

Or for that matter: any digital device that is not a computer or a mobile phone.

When was the last time you applied a security update for your networked printer? I'm guessing never, because no printer vendor has a security department, none have security updates, etc...

This is why smart networked printers are where state-sponsored attackers like the NSA like to hide their persistent malware...

[dspillett]

They can be, but like phones the manufacturers often at best keep up with fixes/upgrades for a year or so after release after which they only care about newer products unless there is a really embarrassing security problem.

[kowlo]

They are rarely updated

[selfhoster11]

They won't, because the manufacturers aren't bothered about it.

[spicybright]

"Oh, there's a critical security hole in one of our products? Sorry, it's discontinued, buy a new one to fix it." So frustrating.

[nodefortytwo]

I am in the same industry and we have the same problem. We are moving to having "insecure" proxies that support TLS 1.1 for devices that can't update. It won't add much security but at least demonstrates its was an active decsion to support it rather than a config mistake.

[Mandatum]

Interesting, I wonder if we'll ultimately see legislation pass at some point that breaks these older TVs or non-supported devices.

[userbinator]

I hope right-to-repair passes first.

Only the tech industry is so brazenly authoritarian about breaking things that used to work.

[IntelMiner]

I don't think that saying technology is an evolving problem is an "authoritarian" stance

Software is written by human beings, human beings make mistakes. The fact these devices can't be updated by the vendor is an implicitly economic problem

Right-to-repair likely wouldn't "solve" these problems for 99% of people, unfortunately. Netflix would never have its customer service people advocating to download custom firmware for smart TV's from "some Russian website" for instance

The real change it would cause is allowing "tech savvy" people to carve out a niche repairing and reselling used, but functional devices. Which even if it's only a 1% decline in sales is an unacceptable proposition for companies.

Selling millions of something every year somehow isn't worth it if even a single PENNY is left on the table, or "spent" in the wrong place instead of lining their pockets

[saagarjha]

The authoritarianism is that companies should be aware that technology progresses and still lock users out from their hardware so they can’t fix it when the world inevitably changes.

[selfhoster11]

> Netflix would never have its customer service people advocating to download custom firmware for smart TV's from "some Russian website" for instance

They wouldn't tell that to people directly, but they could tell you to go to a repair man. Who then, would proceed to download that same firmware from the Russian website and apply it, and the TV now works. Netflix gets to keep their reputation, and the customer is happy with the TV.