From: gtaylor@tnetconsulting.net   
      
   On 6/17/21 1:53 PM, muta...@gmail.com wrote:   
   > Depending on the exact use case, people may not care about having   
   > hackers with the ability to intercept traffic to be able to decrypt   
   > their communication.   
      
   Or they may care about security but care about actually being able to   
   accomplish the task at hand /more/ than they care about security.   
      
   > TLS 1.0 means that the "glorified telephone people" need to go to   
   > some effort to see my passwords, and may lose their jobs if they are   
   > caught. Sounds good to me.   
      
   I tend to refer to that as "preventing casual snooping".  As in "I   
   wonder what the packet sniffer will show me today." type thing.   
      
   > The browser people seem to be in a conspiracy to prevent people from   
   > accessing a TLS 1.0 server, even internally within a company.   
      
   It's not /just/ a conspiracy (theory).  There are legitimate security   
   problems with SSL and earlier versions of TLS.  It's just that fairly   
   small number of people are actually impacted by the security problems.   
   I suspect that more people are adversely impacted by removing older SSL   
   / TLS support than are actually impacted by the vulnerabilities therein.   
      
   > Sounds to me like there's a market for a rival browser that enables   
   > the use of TLS 1.0, perhaps with a warning.   
      
   I would argue against creating a rival browser.  The browser space is   
   already suffering and sliding towards a mono-couture (Chrome).  I think   
   you would be better off forking an existing browser and re-enabling the   
   code to support old SSL / TLS.   
      
   The other thing that you can look at is something like Squid as an SSL /   
   TLS proxy that translates between SSL / TLS versions on either side.   
   I'm actually going to be doing this for various reasons in the near future.   
      
   > Maybe I can start from scratch with a simple browser.   
      
   Please don't.   
      
   > And offload the OpenSSL code (I assume there is no public domain   
   > code available to do this, so this is the best I can do) to my   
   > virtual modem.   
      
   Moving the OpenSSL code (et al.) from the computer to the modem doesn't   
   actually change anything about the problem you're talking about.  If   
   anything, it's potentially going to complicate things, or make them   
   harder to maintain.   
      
      
      
   --   
   Grant. . . .   
   unix || die   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)