zlacker

To explain the other answer a bit more: TLS upgrades have always been opt-in. The problem is that you have to be very clever where you put that option, or some (expensive and popular and dumb) webservers and middleboxes will just freak out and block the client.

The obvious place is the TLS version number in the handshake. It can say "I support up to TLS 1.3" and the other side can say "I support up to TLS 1.2" and the obvious choice is 1.2. But again, some webservers and middleboxes, as soon as they see 1.3 there, they freak out, block the connection completely.

Another idea for where to put it is in the candidate ciphers list - a "oh and I support TLS 1.3" pseudo-"cipher". The other side is supposed to just not use it if it's not recognized. Bug again, some stuff out there just freaks out.

Why do they freak out? Sometimes it's because someone thought that any unrecognized bit could be a hacking attempt. Sometimes it's because the software starts as a pile of bugs and is just debugged to the point that it mostly works today (and at that time "1.3" was never seen at exactly that spot).

So the goal of "GREASE" is to put random not-enumerated values in places like the ciphers list. Once a server or middlebox is compatible with GREASE, it'll be compatible with any future optional upgrade signal being present in those parts of the TLS handshake.

(I'm not sure where GREASE has been implemented so far, and I'm not sure if TLS 1.3 is 100% finalized yet.)

>>ploxil+(OP)
I wasn't clear, but I meant "opt-in" in the sense that it would be enabled on the client by optional configuration, with big warnings for users on "corporate networks". This would draw attention to the issue, because every time a version bumped the web would be flooded with "be sure and opt in to the TLS upgrade, unless you're on a shitty BlueCoat network!" advice. Eventually BlueCoat would get the message.

I understand that proper network hosts will negotiate TLS versions rather than "freaking out".