bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] SSL Poodle attack

From: Daniel Kahn Gillmor
Subject: Re: [Bug-wget] SSL Poodle attack
Date: Wed, 15 Oct 2014 17:53:05 -0400
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Icedove/32.0 
On 10/15/2014 05:37 PM, Daniel Stenberg wrote:
> On Wed, 15 Oct 2014, Daniel Kahn Gillmor wrote:
> 
>> (e.g. [for OpenSSL] if the system default is always explicitly
>> referenced as DEFAULT and we decide that we never want wget to use
>> RC4, then DEFAULT:-RC4 is a sensible approach, because it allows
>> OpenSSL to update DEFAULT and wget gains those improvements
>> automatically)
> 
> I disagree. OpenSSL is but a TLS library that provides functionality -
> and it does so rather conservatively in my view. It does not necessarily
> set the security standard for what applications should aim for in a good
> manner.
> 
> SSL_DEFAULT_CIPHER_LIST for OpenSSL in my debian unstable (== fairly
> recent version 1.0.1i) says "ALL:!aNULL:!eNULL:!SSLv2".
> 
> That means it allows EXPORT40, EXPORT56 and LOW for example (if I'm not
> missing something), in addition to RC4. Those are terribly weak ciphers.
> 
> OpenSSL ciphers list is at https://www.openssl.org/docs/apps/ciphers.html

I agree that OpenSSL has traditionally been too conservative.  I'm
arguing that if we're going to set anything other than the default, we
should make our changes as *relative* changes rather than specifying
something absolute, so that wget can get any improvements that OpenSSL
makes to the default without having to rebuild wget itself.

        --dkg

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]