[gnutls-devel] disabling SSL 3.0 by default in 3.4.0
tim.ruehsen at gmx.de
Thu Oct 16 12:35:45 CEST 2014
Am Mittwoch, 15. Oktober 2014, 22:50:26 schrieb Peter Williams:
> Folks are “Rushing” because, last week, this was not even on the radar -
> even though the use of standards committees to engineer-in cbc mode oracle
> attacks has been going on for 20 years. Same goes for the packet drivers
> and their careful reaction to inbound bit patterns that changes the code
> mode oracle attack”.
It's time to rush because the threat just became *real*.
We (developers/coders) can't do much on 'unknown' threats.
> And so it continues (in this or other guise). Strange that folks just WONT
> handshake, at the end of APDU exchange (since it has so little cost, 20
> years on)
> Don't really know what to recommend, when the “trustworthy” technical
> standards forums (IETF) or their review processes (IESG) are themselves
> fundamentally untrustworthy, in any crypto matter. Everyone knows US
> delegation to ISO/ITU-T was always an arm of dept of state (and woe betide
> anyone expenses payment, if you stepped out of line…)
> I asked Steve Kent once, exempting a French official report on the crash of
> a Russian jet at an air show (due to French spying) - why the report should
> be trusted - since it was an obvious cover up (and actively misrepresented
> culpability concerning deaths in the crowd).. His answer was - that
> “official trust” exists to be manipulated - when one is dealing with
> national security issues. The “investment” in standards was there to
> project such trust attacks, and engineer an deception-friendly environment,
> focused on human weakness, consumer or admin (or crypto officer) alike.
Lies everywhere ;-) You simple can't distinguish between a lie and the truth.
So I simply can't take *anything* of this into my calculations.
However, if your conclusion is 'not to rush'... how long should we wait before
you don't call it 'rushing' any more ? What is your plan ? Firing FUD and tell
people to sit and wait ? Hmm, maybe I got something wrong... but I can't find
anything *useful* within your writing, sorry.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part.
More information about the Gnutls-devel