First, I may be asking a dumb question. I am trying to learn, so please, take it easy on me.
Second, if this is not the right place for this question, or you can link me elsewhere, please tell me/ do so.
Third, I appreciate anyone who takes the time to answer.
This said, I am utilizing a desktop program (as a customer) which streams real time information and holds sensitive data on it as well, such as account values and account numbers. It does not hold or transmit credit card information.
Occasionally I have Wireshark running and noticed that this program completes its handshake using TLSv1.0 with the cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. I can't seem to understand why this would be considering what I understand about TLSv1.0 and CBC (but note above, I am new to this). Is this at all, in any manner, appropriate because of its key exchange being ECDHE and encryption cipher of AES 256?
I know this is not PCI-DSS compliant and I know many vendors have completely moved away from TLSv1.0, as in completely disabled. I can only think the reason for this is because the owner of the program does not want to put clients out who may be using old OS that don't have newer cipher suites, but I could be misguided in my understanding of this. The owner recommended specs for OS is Windows 10, but see no issue as to why it would not operate on previous OS versions, including possibly Vista.
Obviously I am being coy about the program as I really have no idea if this poses any risk. Since I am novice, I suspect those who are in charge of the program have a valid reason for using this version of TLS/ Cipher Suite, but I thought I'd ask.
Thanks for taking the time to read.
edit: forgot to mention- Compression Method: null (0) - I have read that this should be set to null, in case this matters.