[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.

From: Perry E. Metzger
Subject: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.
Date: Fri, 24 Oct 2014 20:42:02 -0400

On Sat, 25 Oct 2014 06:47:37 +0900 "Stephen J. Turnbull"
<address@hidden> wrote:
> It's possible that the inconvenience is small.  Your anecdote about
> P25 radios suggests that in that case in fact it was, but that can
> only be determined by finding out whether organizations different in
> many ways are the same in that dimension.  On the other hand, it is
> a fact that people have died (and to this day are dying in Japan)
> because of lack of compatibility between communication systems among
> cooperating organizations such as fire and police.  It's possible
> that fallback-to-compatible capability did matter and still does
> matter.

There are ways to provide compatibility without sacrificing security,
however. Read our papers or our (redacted) recommendations to law
enforcement if you wish.

> I'm not going to attempt to deny the importance of security, the
> lack of information and training in use of optional security
> features among users, or the rapid escalation of frequency and
> power of attacks. Nevertheless, advocating extreme security policy
> is unlikely to achieve the goal of extreme security in the current
> environment, and I believe that a more balanced approach can do
> better.

I think that removing SSL 3.0 support is not an "extreme measure" and
leaving it in isn't "balanced" at this point.

TLS 1.0 has been around for a very long time. If you want to argue
that removing TLS 1.0 and 1.1 support is a bad idea since support
has only become 100% universal in the last several years, you have a
case to make -- perhaps it should be another few years until those
are deprecated. Then again, I never suggested removing them right now.

If, on the other hand, you want to argue that getting rid of SSL 3.0
is a problem at this point, then you are arguing de facto that bad
protocols can *never* be removed, and that causing minor
inconvenience to a handful of users is far more important than

Perry E. Metzger                address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]