On 06/07/2018 08:44 AM, Tomas Mraz wrote:
On Tue, 2018-06-05 at 16:34 -0400, John Florian wrote:
On 06/05/2018 12:25 PM, Tomas Mraz wrote:
On Tue, 2018-06-05 at 16:11 +0000, Christian Stadelmann wrote:
"Fallback option" always smells like "protocol downgrade attack".
This would undermine the idea of a crypto policy. Anyway,
implementing it seems way out of scope for the crypto policy.
Yes, a fallback option is a no-way. You can switch the system
policy to
LEGACY, however that does not necessarily mean that some very old
legacy HW will start to work with Firefox or another web browser,
because with newer versions of the browsers and newer versions of
TLS/crypto libraries some very old and insecure algorithm and
protocol
support is being also removed.
Makes sense, but what is the best way to deal with such old HW if
you're
stuck with it? I don't want to compromise my workstation for all my
normal needs just to deal with some ancient embedded https server,
but
it would kind of suck to have to boot some old live image just to do
some routine config change. It seems the industry has room for
improvement here.
Use a virtual machine with some old live image for such insecure
communication?
I do not think any "improvement" that involves changing the defaults to
be more lenient even if accompanied with some big warning when such old
insecure connection is established would be a good idea. Оnly if the
users really have to boot some old live image or do some similar
unpleasant task it will really force the old HW out of production where
it should belong. Or we can forget about security based on
cryptographic protocols altogether.
Note that we are talking about SSLv2, MD4 or similar long long time ago
obsolete stuff. Not things that were just "recently" found as insecure.
Oh! I didn't realize the proposal was covering stuff /that/ old.
Somehow TLS 1.1 just didn't equate in my memory with that era. Thank you
Tomas for the clarification.
Also, I just found this neat[0] table that seems to present a good
high-level view of the various TLS levels.
[0] https://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/5BEYIJLDWIHXQVTUZRQ6AN3RKASFOP2Z/