On Tue, 2018-06-12 at 16:01 +0200, Kai Engert wrote:
> On 06/11/18 15:14, Tomas Mraz wrote:
> > > Okay, so IIUC now, this is an all-or-nothing kind of change. If
> > > I
> > > elect/need to use LEGACY to administer some old hardware that I
> > > cannot
> > > otherwise connect to using the defaults, then I'm compromising
> > > that
> > > host's security for anything/everything its used for until it's
> > > taken
> > > back off LEGACY and returned to whatever the non-LEGACY is
> > > called.
> > > Do I
> > > have it right now?
> >
> > Yes, except one thing. Just by switching to LEGACY it does not mean
> > you're compromising the host's security. The protocol negotiation
> > and
> > ciphersuite ordering still applies and it will use the best
> > available
> > protocol and ciphersuite and not some random insecure protocol
> > version
> > and ciphersuite. The insecure protocols and ciphersuites will be
> > used
> > only in the case the other end does not know anything better.
>
> Could switching to LEGACY allow some man-in-the-middle downgrade
> attacks, in which an attacker manipulates the initial phases of
> handshakes, and tricks the parties to use a weaker protocol?
No, that would be a bug in the implementation or protocol design. But
there should be no such issue with the current implementations.
--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/JOJZOK3N4GL3B6NXIKZKDXJORSHZ7BTZ/
