Another report forwarded to me by a client saying "your website is insecure because it accepts outdated encryption protocols" - naturally passed along to them by third parties.
Yes, it accepts them. But it's a static website that simply provides some information about the company. Nothing critical, nothing dynamic. No data is exchanged. There is no login.
We had already tightened everything up a few months ago (for me it's literally a one-line change), but they later told me that some visitors could no longer access the site and asked me to revert it. Probably older devices, but there are plenty of those out there. I know organizations that still use Windows 7, and I still occasionally see some XP clients around.
So now I explained to the client that we have two possible choices: accept the "risk" (which, frankly, I'm not entirely sure what it would be, since even if someone decrypted the traffic they would see nothing that isn’t already visible by simply visiting the page normally), or lock it down again, potentially cutting off some devices, just like what happened a few months ago.
The choice is theirs. We’ll see!