Modern + TLS 1.2

[skyzyx]

With respect, having the modern profile remove support for TLS 1.2 is too aggressive, too fast — unless I've misunderstood how this is supposed to be read.

I've been using this tool for several years to push my company's configs to TLS 1.2 and Perfect Forward Secrecy, and that has been great. But dropping TLS 1.2 from the modern profile feels like way too soon — especially since the browser vendors haven't even removed support for TLS 1.0 or 1.1 yet (I know this is coming in March 2020).

I'd like to ask that the modern profiles be updated with a TLS 1.2 option (even if it's just a checkbox, like with OSCP stapling).

[april]

This is exactly what the Intermediate profile is. It's all Forward Secret, all TLS 1.2+, and all AEADs.

The old Modern basically become Intermediate, Intermediate became Old, and so on. When the previous Modern was introduced, it was TLS 1.2 only and people had the same complaints.

You don't have to run Modern, and there is nothing insecure about Intermediate.

[skyzyx]

This is exactly what the Intermediate profile is. It's all Forward Secret, all TLS 1.2+, and all AEADs.

OK. I had misunderstood this when I first read it. If that's where I need to look to tell my Datacenter teams where to go, I can do that.

When the previous Modern was introduced, it was TLS 1.2 only and people had the same complaints.

Well, except that TLS ≤ 1.1 really was not secure anymore, at least according to PCI.

The bigger (not-insignificant) difference is that TLS 1.2 is 11 years old (2008), while TLS 1.3 is only 14 months old. That's still pretty damn aggressive since it takes time for browsers, core libraries, and language runtimes to all catch up. Heck, even AWS doesn't offer TLS 1.3 in any of their services or even their underlying s2n library.

Your sentence came off as flippant and mildly condescending. I'm an experienced security engineer, not a run-of-the-mill developer, so I'm aware of a lot of this context.

You don't have to run Modern, and there is nothing insecure about Intermediate.

With the older Intermediate, a reasonable person could have made an argument that it was insecure. And TLS 1.2 was a very mature spec with mature implementations at that point. The same cannot (yet) be said for TLS 1.3.

---

So… you're going to do what you're going to do. But it feels out of sync with the enterprises that care a lot about security and pay attention to this kind of stuff, but who simply can't turn all of the ships in the fleet that fast. I disagree with the notion that "Modern" should only refer to websites and services that don't have to worry if their customers can keep up with them… which is what today's Modern profile does (e.g., iOS 12.2, Android 10, Java 11, Golang 1.12, macOS Mojave).

[tomato42]

Well, except that TLS ≤ 1.1 really was not secure anymore, at least according to PCI.

no, PCI either was planning or just now deprecated SSL 3 and TLS 1.0 only

The bigger (not-insignificant) difference is that TLS 1.2 is 11 years old (2008), while TLS 1.3 is only 14 months old.

the world 11 years ago was also different, while it took something like half a decade for most libraries to gain TLS 1.2 support, TLS 1.3 support was implemented before the standard was final...

[april]

Well, except that TLS ≤ 1.1 really was not secure anymore, at least according to PCI.

When the previous Modern configuration was implemented, there weren't major concerns about TLS 1.0 or TLS 1.1, but it still recommended only TLS 1.2 nevertheless. Like today's Modern configuration, it caused significant amounts of compatibility issues with systems that were not capable of handling TLS 1.2.

It is a very similar situation today. Intermediate should be what almost everybody uses for almost every service. It is extremely secure, and designed to be compatible with just about everything.

Modern was never intended to be broadly compatible, it's just that the old version of the Mozilla recommendations had sat for so long that the previous Modern wasn't particularly modern by the time it was replaced.

[jrchamp]

it's just that the old version of the Mozilla recommendations had sat for so long that the previous Modern wasn't particularly modern by the time it was replaced.

That's a very good point. At release date, Intermediate is where you should be aiming if you are not there yet. As time goes on (and the recommendations age a bit), the rate at which you move closer or fully to Modern will depend on both the global situation and your individual situation, so by the time Modern is downgraded to Intermediate (by the next round of recommendations), you're already there (at the new Intermediate) or close.