[Servercert-wg] List of Websites Relying on TLS 1.0 / 1.1

Doug Beattie doug.beattie at globalsign.com
Mon Aug 12 07:05:08 MST 2019


Wayne,

 

Sorry, I glossed over the serial number columns you had listed, sorry about that, we’ll use those columns for digging into the certificate details and POC.

 

Doug

 

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Doug Beattie via Servercert-wg
Sent: Monday, August 12, 2019 8:29 AM
To: Wayne Thayer <wthayer at mozilla.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] List of Websites Relying on TLS 1.0 / 1.1

 

Hi Wayne,

 

It would be helpful if you included the Serial number of the certificate you found.  Do you think you could add that so we can track back to the specific certificate request that is securing the site?


Doug

 

 

 

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Wayne Thayer via Servercert-wg
Sent: Friday, August 9, 2019 2:52 PM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] List of Websites Relying on TLS 1.0 / 1.1

 

Here is a current list of websites that don't support TLS 1.2 or higher: https://docs.google.com/spreadsheets/d/1Sx94fDTTo9MhXXorQJXizk2J6rs-Vc65cptaQqMjGwQ/edit?usp=sharing

 

(also here in CSV format: https://bugzilla.mozilla.org/attachment.cgi?id=9083874)

 

It includes the issuing CA and serial number, so should be easy for each CA to filter.

 

Thank you to everyone who has or is planning to reach out to your customers that are on the list.

 

- Wayne

 

On Mon, Jul 1, 2019 at 8:54 AM Wayne Thayer <wthayer at mozilla.com <mailto:wthayer at mozilla.com> > wrote:

Last year, Mozilla [1], Google [2], Microsoft [3], and Apple [4] all announced that our browsers will stop supporting TLS 1.0 and 1.1 in March 2020. During the Mozilla browser update at the last two F2F meetings, I have asked CAs to help get the word out to their customers about this change. CAs have direct relationships with the organizations that operate affected websites, and this provides a great opportunity for CAs to engage with their customers and help to improve web security.

 

At the last meeting, I was asked if Mozilla could facilitate this outreach by providing a list of websites that do not support TLS 1.2 or higher grouped by the CA that issued the website's TLS certificate. This information - for websites on the Tranco top 1 million list [5] - is located at:

 

https://docs.google.com/spreadsheets/d/1iSEEfc5AuYwT5elAEvkZdLSbwBeJ_SR-0El6s08zNs8/edit#gid=2044764669

 

Please be aware that this information was collected 1-2 months ago, so I recommend that you confirm that the site is still on the following list of affected site, which is updated weekly:

 

http://tlscanary-plot-8e95d89854d73f4d.elb.us-west-2.amazonaws.com/tlsdeprecation-carnage.txt

 

Please let me know if you have any questions, and thanks in advance for everyone's help with this!

 

- Wayne

 

[1] https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/

[2] https://security.googleblog.com/2018/10/modernizing-transport-security.html

[3] https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/

[4] https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/

[5] https://tranco-list.eu/

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190812/38ae0dad/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5701 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190812/38ae0dad/attachment-0001.p7s>


More information about the Servercert-wg mailing list