Forums.FreeBSD.org - SSL Issue?

Thu May 14 19:11:57 UTC 2015

On Thu, May 14, 2015, at 10:20, Patrick Proniewski wrote:
> On 14 mai 2015, at 16:13, jungle Boogie wrote:
> 
> > On 14 May 2015 at 06:08, Mark Felder <feld at freebsd.org> wrote:
> >> 
> >> TLS 1.0 is dead and is even now banned in new installations according to
> >> the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported
> >> by *any* HTTPS site now.
> > 
> > 
> > Here, here! We ONLY have 1.0 enabled until the hardware vendor can
> > upgrade their software. I'm looking to celebrate the day when we have
> > 1.1 and 1.2 enabled.
> 
> 
> That's always the problem with guys like you and me who live in the real
> world. We can't cope with "what should be dead and no longer used".
> Deprecated tomcat/Java/SSL/You-name-it software that you can't just
> upgrade because it's used with hardware/software you can't get rid of.
> At work we are in the ridiculous state where we have to package old
> browser + old Java into VMware ThinApp "bubbles" to access production
> tools.
> 
> Removing TSL 1.0 is not a good move. It's possible to provide SSL with
> TLS 1.2, having protection against protocol downgrade, and still provide
> TLS 1.1 and 1.0 for older browsers.
> 

I'm in the same boat right now fighting with a vendor who can't get
their software to work beyond Java 1.7u45 (Java 7 is EoL ...)

You can and will get rid of it when the cost of maintaining that awful,
insecure software stack is more than throwing it away and cutting your
losses.

There is a righteous push right now for security and for new development
practices: release early, release often, keep your software tested and
working against modern software and libraries. This creates work for
corporations and increases the cost of maintaining their cash cows. It's
going to cut into their bottom lines. They're going to get angry. But
their software is going to be better for it.

Right now it's too easy to hack and compromise because the entire
internet is lazy. Bad security practices have completely poisoned the
well and it's time to forcibly drain it and start anew. It's going to
hurt, and it's not going to be fun for grandma because someone needs to
pick up the slack and make keeping up to date and secure computing a
thoughtless task. For example, Windows 10 looks to eventually be a
rolling release; strategies like that will help keep end-users up to
date and secure.

Personally I agree with phk that we don't need https *everywhere*.
However, if you're going to implement crypto you need to do it right.