[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.
|
From: |
Perry E. Metzger |
|
Subject: |
Re: Bug#766395: emacs/gnus: Uses s_client to for SSL. |
|
Date: |
Fri, 24 Oct 2014 20:42:02 -0400 |
On Sat, 25 Oct 2014 06:47:37 +0900 "Stephen J. Turnbull"
<address@hidden> wrote:
> It's possible that the inconvenience is small. Your anecdote about
> P25 radios suggests that in that case in fact it was, but that can
> only be determined by finding out whether organizations different in
> many ways are the same in that dimension. On the other hand, it is
> a fact that people have died (and to this day are dying in Japan)
> because of lack of compatibility between communication systems among
> cooperating organizations such as fire and police. It's possible
> that fallback-to-compatible capability did matter and still does
> matter.
There are ways to provide compatibility without sacrificing security,
however. Read our papers or our (redacted) recommendations to law
enforcement if you wish.
> I'm not going to attempt to deny the importance of security, the
> lack of information and training in use of optional security
> features among users, or the rapid escalation of frequency and
> power of attacks. Nevertheless, advocating extreme security policy
> is unlikely to achieve the goal of extreme security in the current
> environment, and I believe that a more balanced approach can do
> better.
I think that removing SSL 3.0 support is not an "extreme measure" and
leaving it in isn't "balanced" at this point.
TLS 1.0 has been around for a very long time. If you want to argue
that removing TLS 1.0 and 1.1 support is a bad idea since support
has only become 100% universal in the last several years, you have a
case to make -- perhaps it should be another few years until those
are deprecated. Then again, I never suggested removing them right now.
If, on the other hand, you want to argue that getting rid of SSL 3.0
is a problem at this point, then you are arguing de facto that bad
protocols can *never* be removed, and that causing minor
inconvenience to a handful of users is far more important than
security.
Perry
--
Perry E. Metzger address@hidden
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., (continued)
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Lars Magne Ingebrigtsen, 2014/10/24
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Perry E. Metzger, 2014/10/24
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Ted Zlatanov, 2014/10/25
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Lars Magne Ingebrigtsen, 2014/10/25
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Florian Weimer, 2014/10/26
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Lars Magne Ingebrigtsen, 2014/10/26
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Florian Weimer, 2014/10/26
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Richard Stallman, 2014/10/25
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Florian Weimer, 2014/10/26
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Stephen J. Turnbull, 2014/10/24
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.,
Perry E. Metzger <=
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Stephen J. Turnbull, 2014/10/27
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Perry E. Metzger, 2014/10/27
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Stephen J. Turnbull, 2014/10/28
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Thien-Thi Nguyen, 2014/10/28
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Stephen J. Turnbull, 2014/10/28
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Stefan Monnier, 2014/10/28
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Perry E. Metzger, 2014/10/28
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Florian Weimer, 2014/10/28
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Perry E. Metzger, 2014/10/28
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Stefan Monnier, 2014/10/28