[TLS Canary] Re-run TLS deprecation carnage test for TLS 1.0 and TLS 1.1
Categories
(Web Compatibility :: Tooling & Investigations, task)
Tracking
(Not tracked)
People
(Reporter: tvandermerwe, Unassigned)
References
Details
(Whiteboard: tls-canary)
Attachments
(1 file)
|
55.00 KB,
text/plain
|
Details |
Just over a year ago, Christiane ran this: https://github.com/mozilla/tls-canary/commit/1507f1679c89bdb78f02d3f497ebebc9a76ec09f
We would like to re-run this in order to recompile our TLS 1.0/TLS 1.1 deprecation carnage list. This will be informative for our TLS deprecation plans and for site outreach.
|
||
Comment 1•5 years ago
|
||
Hey Thyla,
cr is no longer workin for Mozlla and neither is mwobensmith.
I'm not sure who's able to help you but this component is certainly the wrong one, as Paul's Security Assurance team as since been abandoned.
In fact, we intend to close this Bugzilla component (see https://bugzilla.mozilla.org/show_bug.cgi?id=1628224).
Maybe you can request this from Julien Vehent's team, but they too will not use this Bugzilla component for tracking their work.
I will close this as RESOLVED INVALID, unless I hear otherwise before April 15th.
|
||
Comment 2•5 years ago
|
||
Let's just move this somewhere "safe", and it can be moved again when we find a better component.
|
Reporter | |
Comment 3•5 years ago
|
||
Thanks, Mike. Freddy, apologies for labeling it incorrectly. Mark Goodwin and Julien Vehent are in Cc, however.
|
|
||
Comment 5•5 years ago
|
||
Mark is currently running this scan.
|
||
Comment 6•5 years ago
|
||
I've run into a couple of problems that I'm trying to resolve today.
|
|
||
Comment 7•5 years ago
|
||
|
|
||
Comment 8•5 years ago
|
||
OK, I've run the test (and, justd as importantly, I have detailed notes on how to run the test). The numbers are as follows:
Of the top 1M, there are 2286 hosts showing failures with TLS 1 / 1.1 disabled.
Details attached.
|
|
Reporter | |
Comment 9•5 years ago
|
||
Thank you, Mark. Quick question, what's up with this host in the data?: andr-5f9c4ab08c-968e2d5b08687bf4-c5841ef24d99462e85-2460153.na.api.amazonvideo.com (and similar entries?). Should those entries be there? Mike, thoughts?
|
|
||
Comment 10•5 years ago
|
||
The Alexa top 1M list is a big list. I don't have insights on what we do / do not expect to see in there... But I can check the data we're using is current?
|
|
Reporter | |
Comment 11•5 years ago
|
||
That would be great, thanks Mark!
|
|
||
Comment 12•5 years ago
|
||
There are 181 hosts that match amazon in the Alexa list from http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
But indeed none of them match amazonvideo.com, so perhaps the TLS Canary list is stale?
However, looking at the Cisco Top 1M from http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip, I find over 10k hosts that match amazon and 254 that match amazonvideo. No match for the one you specifically mention in comment 9, but a number of similar ones in the list.
Cisco and Alexa use completely different methodologies to produce their top 1m lists. Cisco's is mostly based on DNS resolver stats from their umbrella products, whereas Alexa is a curated list. Ultimately, both lists are useful and should be used in parallel.
|
|
||
Comment 13•5 years ago
|
||
(In reply to Thyla van der Merwe from comment #9)
Thank you, Mark. Quick question, what's up with this host in the data?: andr-5f9c4ab08c-968e2d5b08687bf4-c5841ef24d99462e85-2460153.na.api.amazonvideo.com (and similar entries?). Should those entries be there? Mike, thoughts?
These are likely Amazon (Prime) streaming video endpoints. We've already been in touch with Amazon about them, but maybe worth following up with them again.
|
|
||
Comment 14•5 years ago
|
||
tls-canary is using the tranco list, which averages over various common top-site lists and reduces biases.
Further details are in the relevant source files
|
||
Updated•3 years ago
|
Description
•