[gnutls-devel] disabling SSL 3.0 by default in 3.4.0

Tim Rühsen tim.ruehsen at gmx.de
Thu Oct 16 12:35:45 CEST 2014


Am Mittwoch, 15. Oktober 2014, 22:50:26 schrieb Peter Williams:
> Folks are “Rushing” because, last week, this was not even on the radar -
> even though the use of standards committees to engineer-in cbc mode oracle
> attacks has been going on for 20 years. Same goes for the packet drivers
> and their careful reaction to inbound bit patterns that changes the code
> path takes, that then play the role of the JavaScript “in the latest cbc
> mode oracle attack”.

It's time to rush because the threat just became *real*.
We (developers/coders) can't do much on 'unknown' threats.

 
> And so it continues (in this or other guise). Strange that folks just WONT
> handshake, at the end of APDU exchange (since it has so little cost, 20
> years on)
 
> 
> Don't really know what to recommend, when the “trustworthy” technical
> standards forums (IETF) or their review processes (IESG) are themselves
> fundamentally untrustworthy, in any crypto matter. Everyone knows US
> delegation to ISO/ITU-T was always an arm of dept of state (and woe betide
> anyone expenses payment, if you stepped out of line…)
 
> 
> I asked Steve Kent once, exempting a French official report on the crash of
> a Russian jet at an air show (due to French spying) - why the report should
> be trusted - since it was an obvious cover up (and actively misrepresented
> culpability concerning deaths in the crowd).. His answer was - that
> “official trust” exists to be manipulated - when one is dealing with
> national security issues. The “investment” in standards was there to
> project such trust attacks, and engineer an deception-friendly environment,
> focused on human weakness, consumer or admin (or crypto officer) alike.
 
Lies everywhere ;-) You simple can't distinguish between a lie and the truth. 
So I simply can't take *anything* of this into my calculations.

However, if your conclusion is 'not to rush'... how long should we wait before 
you don't call it 'rushing' any more ? What is your plan ? Firing FUD and tell 
people to sit and wait ? Hmm, maybe I got something wrong... but I can't find 
anything *useful* within your writing, sorry.

Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20141016/861e3aac/attachment.sig>


More information about the Gnutls-devel mailing list