On Tue, 2018-06-05 at 16:34 -0400, John Florian wrote: > On 06/05/2018 12:25 PM, Tomas Mraz wrote: > > On Tue, 2018-06-05 at 16:11 +0000, Christian Stadelmann wrote: > > > "Fallback option" always smells like "protocol downgrade attack". > > > This would undermine the idea of a crypto policy. Anyway, > > > implementing it seems way out of scope for the crypto policy. > > > > Yes, a fallback option is a no-way. You can switch the system > > policy to > > LEGACY, however that does not necessarily mean that some very old > > legacy HW will start to work with Firefox or another web browser, > > because with newer versions of the browsers and newer versions of > > TLS/crypto libraries some very old and insecure algorithm and > > protocol > > support is being also removed. > > > > Makes sense, but what is the best way to deal with such old HW if > you're > stuck with it? I don't want to compromise my workstation for all my > normal needs just to deal with some ancient embedded https server, > but > it would kind of suck to have to boot some old live image just to do > some routine config change. It seems the industry has room for > improvement here. Use a virtual machine with some old live image for such insecure communication? I do not think any "improvement" that involves changing the defaults to be more lenient even if accompanied with some big warning when such old insecure connection is established would be a good idea. Оnly if the users really have to boot some old live image or do some similar unpleasant task it will really force the old HW out of production where it should belong. Or we can forget about security based on cryptographic protocols altogether. Note that we are talking about SSLv2, MD4 or similar long long time ago obsolete stuff. Not things that were just "recently" found as insecure. -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/QJRRPYEIHGADBY3U6I3OPGZD7JY733XV/