Re: F29 System Wide Change: Strong crypto settings: phase 2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2018-06-13 at 00:45 -0400, Paul Wouters wrote:
> On Wed, 6 Jun 2018, Nikos Mavrogiannopoulos wrote:
> 
> > I think the debate here is whether fedora (and in general operating
> > systems) can afford to be stricter than the browsers. As an OS our
> > attack surface is much larger than the browser setup, and thus it
> > makes
> > sense (to me), to be more careful.
> 
> Your legacy interaction will also be much larger. Like connecting to
> your home wifi router's webgui.
> 
> > Can we afford to break a significant part of our users? Of course
> > not,
> > but I think that this change is eventually happening, especially
> > with
> > TLS1.3 expected to be deployed widely, and it seems to me that we
> > only
> > wait to see who will do the first step.
> 
> I don't think TLS 1.3 will see a wide deployment immediately. Sure,
> the
> famous top websites and top browsers will, but enterprises will not.
> And
> especially those with any kind of loggin/auditing requirements cannot
> even allow TLS 1.3 with ephemeral DH on their network.
> 
> I would personally first try and disable TLS 1.0 in f29 and see how
> much
> problems that generates. Then in f30 or f31 disable TLS 1.1.

Except from the internet website statistics the TLS-1.1 only or as
maximum TLS version is not deployed. The sites are either TLS-1.0 max
version or they support also TLS-1.2. So this will not make almost any
difference and the impact on compatibility will be practically the same
as disabling even TLS-1.1.

-- 
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/KTJ64X46W5B37VYDDBV3KNKDRANJU3WA/
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux