Re: F29 System Wide Change: Strong crypto settings: phase 2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2018-06-05 at 16:34 -0400, John Florian wrote:
> On 06/05/2018 12:25 PM, Tomas Mraz wrote:
> > On Tue, 2018-06-05 at 16:11 +0000, Christian Stadelmann wrote:
> > > "Fallback option" always smells like "protocol downgrade attack".
> > > This would undermine the idea of a crypto policy. Anyway,
> > > implementing it seems way out of scope for the crypto policy.
> > 
> > Yes, a fallback option is a no-way. You can switch the system
> > policy to
> > LEGACY, however that does not necessarily mean that some very old
> > legacy HW will start to work with Firefox or another web browser,
> > because with newer versions of the browsers and newer versions of
> > TLS/crypto libraries some very old and insecure algorithm and
> > protocol
> > support is being also removed.
> > 
> 
> Makes sense, but what is the best way to deal with such old HW if
> you're 
> stuck with it?  I don't want to compromise my workstation for all my 
> normal needs just to deal with some ancient embedded https server,
> but 
> it would kind of suck to have to boot some old live image just to do 
> some routine config change.  It seems the industry has room for 
> improvement here.

Use a virtual machine with some old live image for such insecure
communication?

I do not think any "improvement" that involves changing the defaults to
be more lenient even if accompanied with some big warning when such old
insecure connection is established would be a good idea. Оnly if the
users really have to boot some old live image or do some similar
unpleasant task it will really force the old HW out of production where
it should belong. Or we can forget about security based on
cryptographic protocols altogether.

Note that we are talking about SSLv2, MD4 or similar long long time ago
obsolete stuff. Not things that were just "recently" found as insecure.
-- 
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/QJRRPYEIHGADBY3U6I3OPGZD7JY733XV/
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux