On 02/26/2018 11:26 AM, mcatanzaro@xxxxxxxxx wrote:
On Mon, Feb 26, 2018 at 9:37 AM, Nikos Mavrogiannopoulos
<nmav@xxxxxxxxxx> wrote:
regarding the strong crypto change in Fedora28 [0], we have identified
few (usually internal) sites which break under firefox or other tools.
The main reason for this breakage is that these sites only support
Diffie-Hellman with 1024-bit parameters which are considered too weak
by this change.
Setting up a unified distro-wide crypto policy was a Good Thing, but
we have to use it responsibly. Unfortunately, I don't think it's
practical for Fedora to increase the minimum required Diffie-Hellman
parameter size to 2048 until either Firefox or Chrome has done so
first. Users are just going to object that they can't use Fedora to
access various important websites, and those important websites will
never be fixed so long as they're only broken for Fedora users. We
should consider ourselves at the mercy of the major browser vendors to
implement new restrictions before we do. It's a shame that major
browsers are so unwilling to break websites, even when it's clearly
important for security, but that's the world we live in. :/
Alternatively, if you want to strengthen the system crypto policy,
then it should not apply to web browsers at all. Or web browsers
should automatically use the weak policy. (We'd need the weak policy
in glib-networking, too.)
It seems to me that the middle ground between giving up and breaking
things might be to throw up a warning, like the unsecure HTTPS warnings
for sites with self-signed certificates. I'd think upstream should be
agreeable to it. Is it hard to do---would it possible by configuring the
browser or would it require new code and patching?
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
