On Friday 27 March 2015 14:15:47 Gert Doering wrote: > Hi, > > On Fri, Mar 27, 2015 at 12:53:05PM +0100, Hubert Kario wrote: > > On Thursday 26 March 2015 11:19:28 Michael Felt wrote: > > > Experience: I have some hardware, on an internal network - that only > > > supports 40-bit ssl. I am forced to continue to use FF v17 because that > > > was > > > the last browser to provide SSL40-bit support. My security is weakened > > > because I cannot update that browser, and I continue to lose plugins > > > because they do not support FF17 anymore. All other browsers stopped > > > support earlier as well. > > > > Please put the device behind a stunnel and don't put yourself at risk. > > I don't think Michael is accessing that device over the Internet - but even > *in house* some devices force you to jump through such hoops. the fact that he mentions usage of extensions, I'm not so sure he uses it only for internal out-of-band management sites... > Like, old HP ILO that you can't get updates for, that insist on using SSL, > but then fail to interoperate with recent browsers. So what are you going > to do? "Throw away a perfectly working and secure machine, because its > out of band interface is crap" or "keep around an old and insecure browser"? such interfaces should be on a network of their own, as such you should go through a router to be able to connect to them. On same router you can put the stunnel or a redirect to other machine that does the tunneling to make sure the insecure connections from trusted network are not routed over regular network (be it company internal or Internet) > Same thing with needing sshv1 to access old network gear where even sshv1 > was an achievement. "Throw away gear that does its job perfectly well, > but has no sshv2 for *management*" or "keep around an ssh v1 capable > client"? If you depend on hardware like this, you should have support* for it. Exactly because issues like this. * - where "support" means that either you have other people responsible for fixing it or that you can hire other people to fix it as the need arises -- Regards, Hubert Kario
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev