[gnutls-devel] disabling SSL 3.0 by default in 3.4.0
home_pw at msn.com
Thu Oct 16 00:50:26 CEST 2014
And so it continues (in this or other guise). Strange that folks just WONT handshake, at the end of APDU exchange (since it has so little cost, 20 years on)
Don't really know what to recommend, when the “trustworthy” technical standards forums (IETF) or their review processes (IESG) are themselves fundamentally untrustworthy, in any crypto matter. Everyone knows US delegation to ISO/ITU-T was always an arm of dept of state (and woe betide anyone expenses payment, if you stepped out of line…)
I asked Steve Kent once, exempting a French official report on the crash of a Russian jet at an air show (due to French spying) - why the report should be trusted - since it was an obvious cover up (and actively misrepresented culpability concerning deaths in the crowd).. His answer was - that “official trust” exists to be manipulated - when one is dealing with national security issues. The “investment” in standards was there to project such trust attacks, and engineer an deception-friendly environment, focused on human weakness, consumer or admin (or crypto officer) alike.
Sent from Surface Pro
From: Daniel Kahn Gillmor
Sent: Wednesday, October 15, 2014 3:17 PM
To: Peter Williams, Tim Rühsen, gnutls-devel at gnu.org
Cc: GnuTLS development list
On 10/15/2014 05:40 PM, Peter Williams wrote:
> Some of us still use ssl v2
> Dont rush, like lemmings.
we are well past the time that anyone who removes either sslv2 or sslv3
can be accused of "rushing" -- if you have special use cases that enable
you to privately use custom/non-standard protocols in ways that you
think are secure, that's fine. No one will prevent you from doing that.
But please don't encourage the use of protocols with known problems on
the public 'net, where people need to interoperate with each other over
a known-hostile network.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel