[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [gnutls-devel] disabling SSL 3.0 by default in 3.4.0
|
From: |
Tim Rühsen |
|
Subject: |
Re: [gnutls-devel] disabling SSL 3.0 by default in 3.4.0 |
|
Date: |
Thu, 16 Oct 2014 12:35:45 +0200 |
|
User-agent: |
KMail/4.14.1 (Linux/3.16-2-amd64; KDE/4.14.1; x86_64; ; ) |
Am Mittwoch, 15. Oktober 2014, 22:50:26 schrieb Peter Williams:
> Folks are “Rushing” because, last week, this was not even on the radar -
> even though the use of standards committees to engineer-in cbc mode oracle
> attacks has been going on for 20 years. Same goes for the packet drivers
> and their careful reaction to inbound bit patterns that changes the code
> path takes, that then play the role of the JavaScript “in the latest cbc
> mode oracle attack”.
It's time to rush because the threat just became *real*.
We (developers/coders) can't do much on 'unknown' threats.
> And so it continues (in this or other guise). Strange that folks just WONT
> handshake, at the end of APDU exchange (since it has so little cost, 20
> years on)
>
> Don't really know what to recommend, when the “trustworthy” technical
> standards forums (IETF) or their review processes (IESG) are themselves
> fundamentally untrustworthy, in any crypto matter. Everyone knows US
> delegation to ISO/ITU-T was always an arm of dept of state (and woe betide
> anyone expenses payment, if you stepped out of line…)
>
> I asked Steve Kent once, exempting a French official report on the crash of
> a Russian jet at an air show (due to French spying) - why the report should
> be trusted - since it was an obvious cover up (and actively misrepresented
> culpability concerning deaths in the crowd).. His answer was - that
> “official trust” exists to be manipulated - when one is dealing with
> national security issues. The “investment” in standards was there to
> project such trust attacks, and engineer an deception-friendly environment,
> focused on human weakness, consumer or admin (or crypto officer) alike.
Lies everywhere ;-) You simple can't distinguish between a lie and the truth.
So I simply can't take *anything* of this into my calculations.
However, if your conclusion is 'not to rush'... how long should we wait before
you don't call it 'rushing' any more ? What is your plan ? Firing FUD and tell
people to sit and wait ? Hmm, maybe I got something wrong... but I can't find
anything *useful* within your writing, sorry.
Tim
signature.asc
Description: This is a digitally signed message part.