Have a question regarding ATS and Safari.
By default on iOS9 and OS X 10.11, is Safari forced to use the ATS standards? (TLS1.2, PFS, ECDHE, SHA-2, and forcing HTTPS/no HTTP) I cant seem to find a straight anwser on this as I have seen many forums where they state that HTTP connections will not be allowed (Ill call that one out, that puts most websites to be unaccessible by newer Apple OSs), if the server supports TLS1.0 or 1.1 the connection will be dropped.
Now, the way that I interpret the ATS standard and as it applies to Safari is that HTTP will be allowed, the client will be forces to connect to HTTPS sites only if the server supports TLS1.2, ECDHE, PFS, and has a SHA-2 cert. If the server supports earlier version of TLS, older SSL ciphers, no PFS, the connection will still work for the newer OSs, and the server will allow clients that dont support the newer standards. If this is not the case, then people with older client devices that cannot support the newer will be denied to half the internet in order to abide by Apple's ATS.
I am am thinking that the strictness of ATS is primarliy enforced for moblie applications, and not necessarily strictly enforced for Safari/web browsers (meaning, if the server supports older standards as well as standards enforced by ATS the connection is dropped/denied).
Any clarification is greatly appreciated.
Nic
