On Fri, Jan 19, 2024 at 10:55:15AM +0100, Jo Durchholz wrote:
That's far from accurate. TLS 1.0, though dated, is quite adequate for many non-browser applications.
Well... sort-of. It depends on SHA-1 for initial handshake and peer authentication (both relevant to prevent man-in-the-middle attacks),
Actually, the TLS 1.0 hash algorithm used in digital signatures is SHA1+MD5, and there are no known practical attacks on that construction. https://datatracker.ietf.org/doc/html/rfc2246#section-7.4.3 select (SignatureAlgorithm) { case anonymous: struct { }; case rsa: digitally-signed struct { opaque md5_hash[16]; opaque sha_hash[20]; }; case dsa: digitally-signed struct { opaque sha_hash[20]; }; } Signature; There are some theoretical attacks on concatenated hashes that suggest they're not quite as strong as one might naïvely hope, but this has little practical impact. The TLS 1.0 bulk ciphers use SHA1-HMAC (not raw SHA1): https://datatracker.ietf.org/doc/html/rfc2246#section-6.2.3.1 There are no known practical attacks on HMAC. In the browser context, there have been some practical attacks on CBC mac-then-acrypt ciphers used in TLS 1.0, but they're easily mitigated by negotiating EtM: https://datatracker.ietf.org/doc/html/rfc7366#section-2 In any case, communication with legacy systems via TLS 1.0 is substantially safer than in the clear. -- Viktor.