smaug

ENHANCEMENT REQUEST -- End-of-Life (EoL) web clients -- Please replace red text with grey text and devise a plan to warn users about supporting insecure web clients

Discussion created by smaug on Oct 22, 2016

There are numerous end-of-life clients listed on the ssllabs tool for "compatibility". The tool really needs to mark these as grey text instead of red text. This is because red indicates a problem to the web server administrator. Because these are all EoL clients, the choice to support them should really be up to the organization and ssllabs should not be coercing web server admins to try to support them. In fact, it should ADVISE AGAINST SUPPORTING THEM. The reasoning is that by allowing older cipher suites like DES-CBC3-SHA, you are exposing the more recent and supported web clients to protocol downgrade attacks. This is bad. Please fix it. Some of these are about 4 years past their end of life dates.

 

If ivanr is opposed to marking them immediately grey, then something more reasonable like marking EoL clients as grey if they are >= 18 months past their official EoL dates would even suffice. There is really no legitimate reason Android 2.3 -- EoL for almost 4 years, since 2012 -- should show up in red. For cases like Oracle Java 7, I could understand marking them "yellow" instead of grey, if SSLLabs is really opposed to marking them grey immediately. Either way, red markings should really be eliminated using some deterministic manner, whatever the team comes up with. Also note that many of these dates are the last dates a security fix is guaranteed. Major updates often are ceased even before the dates listed, meaning new technologies and security features are not being baked in. This generally means only critical patches may be offered, with high severity vulnerabilities being left in, meaning clients are still vulnerable, albeit not critically vulnerable.

 

"Android 2.3.7" -- Google Android 2.3.x Gingerbread (end-of-life since around December, 2012)

"Java 6u45" -- Oracle Java 6.x (eol since February, 2013)

"Android 4.0.4"  -- Google Android 4.0.x Ice Cream Sandwich (eol since around October, 2013)

"Safari 5.1.9 / OS X 10.6.8" -- Apple Safari 5.x for Mac (eol since around December, 2013)

"Safari 6 / iOS 6.0.1" -- Apple iOS 6.x (eol since around February, 2014)

"IE 6 / XP", "IE 8 / XP" -- Microsoft Windows XP+IE6/7/8 (eol since April 8, 2014)

"Android 4.1.1"  -- Google Android 4.1.x Jelly Bean (eol since June, 2014)

"Safari 7 / iOS 7.1" -- Apple iOS 7.x (eol since around June, 2014)

"IE 10 / Win Phone 8.0" -- Microsoft Windows Phone 8.0 (eol since July 8, 2014)

"IE 11 / Win Phone 8.1" -- Microsoft Windows Phone 8.1.0 (eol since August 4, 2014)

"Android 4.2.2 " -- Google Android 4.2.x Jelly Bean (eol since November, 2014)

"Java 7u25" -- Oracle Java 7.x (eol since April, 2015)

"Android 4.3" -- Google Android 4.3.x Jelly Bean (eol since July, 2015)

"Safari 6.0.4 / OS X 10.8.4" -- Apple Safari 6.x for Mac (eol since around August, 2015)
"Safari 7 / OS X 10.9" -- Apple Safari 7.x for Mac (eol since around August, 2015)
"Safari 8 / OS X 10.10" -- Apple Safari 8.x for Mac (eol since around August, 2015)

"Safari 8 / iOS 8.4" -- Apple iOS 8.x (eol since around August, 2015)

"Firefox 31.3.0 ESR / Win 7" -- Mozilla Firefox 31.x ESR (eol since August 11, 2015)

"Android 4.4.2" -- Google Android 4.4.x KitKat (eol since October, 2015)

"OpenSSL 0.9.8y" -- OpenSSL 0.9.8/1.0.0 (eol since December 31, 2015)

"IE 7 / Vista", "IE 8-10 / Win 7" -- Microsoft Internet Explorer < 11 (eol since January 12th, 2016)

"Chrome 49 / XP SP3 " -- Chrome 49.x on Windows XP SP3 (eol since April, 2016)

"Safari 9 / iOS 9", "Apple ATS 9 / iOS 9" -- Apple iOS 9.x (eol since around August, 2016)

"Safari 9 / OS X 10.11" -- Apple Safari 9.x for Mac (eol presumed September, 2016)

"Android 5.0.0" -- Google Android 5.x Lollipop (eol since October, 2016)

 

And for reference, the following are coming up on EoL soon:

 

"Firefox 49 / XP SP3", "Firefox 49 / Win 7" -- Mozilla Firefox 49.x (eol expected November 8, 2016)

Apple Mac OS X 10.9 Mavericks (eol expected around December, 2016)

"OpenSSL 1.0.1l" -- OpenSSL 1.0.1 (eol expected December 31, 2016)

Microsoft Windows Vista (eol expected April 11, 2017)

"IE 11 / Win Phone 8.1 Update" -- Microsoft Windows Phone 8.1.x (eol expected July 11, 2017)

"Safari 10 / iOS 10" -- Apple iOS 10.x (eol predicted August, 2017)

"Safari 10 / OS X 10.12" -- Apple Safari 10.x for Mac (eol predicted August, 2017)

"Java 8u31" -- Oracle Java 8.x (eol expected September, 2017)
"Android 6.0" -- Google Android 6.x Marshmallow (eol expected September, 2017)

 

And the following are expected to EoL later:

 

Apple Mac OS X 10.10 Yosemite (eol predicted around December, 2017)

"Edge 13 / Win Phone 10" -- Microsoft Windows 10 Mobile (eol expected January 9, 2018)

"Android 7.0" -- Google Android 7.x Nougat (eol expected October, 2018)

Apple Mac OS X 10.11 El Capitan (eol predicted around December, 2018)

Apple macOS Sierra 10.12 Sierra (eol predicted around December, 2019)

"OpenSSL 1.0.2e" -- OpenSSL 1.0.2 (eol expected December 31, 2019)

"IE 11 / Win 7", "Chrome 51 / Win 7" -- Microsoft Windows 7 (eol expected January 14, 2020)

"IE 11 / Win 8.1" -- Microsoft Windows 8.1 (eol expected January 10, 2023)

"IE 11 / Win 10", "Edge 13 / Win 10" -- Microsoft Windows 10 (eol expected October 14, 2025)

Outcomes