Fwd: Intent to unship: TLS 1.0 and TLS 1.1

Kai Engert kaie at kuix.de
Thu Sep 12 14:04:48 UTC 2019


On 12.09.19 14:40, Patrick Cloke wrote:
> I'm curious what effect this will have on Thunderbird. Do we have any
> idea what percentage of SMTP/IMAP/POP servers are using these versions
> of TLS?

I don't have numbers.

My primary concern here is our inadequate communication of errors
related to SSL/TLS connectivity to the user.

Any change to disable old protocols, while the older versions are still
deployed on server, will frustrate users if they don't understand what's
going wrong.

I think better user feedback should get a higher priority. Once we
disable the protocols, Thunderbird users should be able to identify if a
connection failure is caused by a deprecation.

Regarding the timing, this seems to be a coordinated effort by browsers
to motivate system administrators to upgrade to more secure settings.

Other applications like email clients could decide to delay the
deprecation a little longer, however, the same arguments apply to us,
too. If TLS 1.0 and TLS 1.1 are no longer secure, we should consider to
follow the lead of the browsers.

Maybe the following could be a reasonable timeline:

- continue to support for the lifetime of the TB 68.x branch

- in March 2020, around the same time as browsers disable it,
  disable by default in both TB Daily builds and TB Beta.

- disable by default for the major TB release mid 2020

- we can consider to allow users to set a hidden pref to override
  for the 2020 release.

Kai


More information about the tb-planning mailing list