:: Re: [DNG] openssl/libssl1 in Debian…
Góra strony
Delete this message
Reply to this message
Autor: Arnt Gulbrandsen
Data:  
Dla: dng
Temat: Re: [DNG] openssl/libssl1 in Debian has disabled TLS 1.0 & 1.1
ael writes:
> I am happy with that. Just as long as one can enable it when
> *necessary*.


You have a compiler and building is easy.

> What is unacceptable is for Devuan to take away the freedom to read
> email or prevent communication with devices which cannot be updated.


Keep in mind that compiling with SSL2/SSL3/TLS1.0 support opens the door to
downgrade attacks.

The process works like this: 1. Someone discovers an attack against, say,
40-bit DES. The only way to remain safe against the attack is to stop using
40-bit DES. 2. Some maintainers leave in support for 40-bit DES to it can
be used "when necessary". 3. A MITM attacker persuades one end of a
connection that the other end supports nothing better. 4. The connection
now uses 40-bit DES, which the attacker decrypts.

You want support for the vulnerable protocol when YOU think it's necessary.
But the code doesn't ask WHO thinks it's necessary, you or an attacker.

Arnt