oss-sec mailing list archives
Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1]
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 15 Nov 2013 13:32:04 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/15/2013 12:18 PM, Chris Palmer wrote:
On Thu, Nov 14, 2013 at 10:58 PM, Kurt Seifried <kseifried () redhat com> wrote:Think of all the things that currently use (often older versions of) OpenSSL/PolarSSL/GnuTLS/etc and will never get updated...I posit that there is a strong correlation between un-updated, un-updatable software that did not ship with (for example) support for modern cipher suites and protocols, and software that should be recalled for a variety of reasons. Random example: https://securityledger.com/2013/08/samsung-smart-tv-like-a-web-app-riddled-with-vulnerabilities/ Let's unpack your use of the passive voice: Who, exactly, is choosing not to update the OpenSSL they ship? Why do we forgive that?
We don't have a choice? We already paid our money and as far as I know we have no recourse? We can buy "not that vendor" but all the vendors do this, simple economics, you paid for it, why would I spend money supporting it? Especially when that model is no longer being manufactured. Especially when my customers appear to have no expectation that I'll support it? This is why I bought a "dumb" TV. And why I won't get a carrier controlled Android phone ever (they have a less then perfect upgrade track record). But most people are not crazy and paranoid like me.
To an extent, even security engineers are acting as enablers, allowing obsolete software/protocols/cipher suites to live far longer than they should have.
We can't force stuff to die, and I bet those security engineers usually lose to managers talking about margins and such.
"LTS", "ESR", and not EOL'ing Windows XP 4+ years ago is a significant part of the problem.
I can't speak to that, even if we support OpenSSL/whatever long term that's only the tip of the proverbial ice berg. The supply chain for this stuff is _deep_. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJShoTEAAoJEBYNRVNeJnmTEo8QAL0VRMCKMS3nzd9Dhd7I1+Rx yhov1UmK9WhZyK2aLsy21XZ33vjGd2uhkynCrq+Uo/x8hxGTrbrXVzT8jDuU+b7I NCZfo2pks7y/Qp+KtSiIw3IyF9b8OFGuMgEK5znLFigz1wFWGwjRQnybiMag3WAQ F5HDDgEshbiTCyWBrUvjyY0lIok1Y9CyzkTFcnSGQ9WhUPDQxOZ1laUhJVvz5yX8 kbAnbblnnSwpW1zMPRB79RLJFy4Rkq+rGm1tzbsavaesmPRhdDf3PZ1ZTFEwI/bn No0I5xzUPpiD1jBgHxWFfD40+CAr2VISR7FObD/JHeSF0+Tpy2pBeq7RW4/MM5w7 /cznS7Cd17A74InICfjfbTkRaMCY2qfrdPo7sI4O33QteaeXRGKg1BrNimLq+LF+ KRTVlb5RkuHVfgppq9/Jh4n3B4avDkeiUYyAtTRNvmhgu9Hyj8tN9I3nIylWXIzI wCoHMr7oYc6Xa/RydnVVy9h2LVdZiuePCQ0RyEatW59HuPL471DxLr6o2HCZe8TT /kOdjGz22CooKryIa+pm434sdVlPMVTRtkJkWKtWlEf7NfdGqiK4rlEebuQWiRR2 ylqFn7vgWfCT9jsYEzJW92NnqV1F9Swh9ZuOU4Ac8oLDqcVx3ckHPWWWjOhFnrnY Bq0PRSTYZPP/PvNlrVS4 =wdou -----END PGP SIGNATURE-----
Current thread:
- Microsoft Warns Customers Away From RC4 and SHA-1 Kurt Seifried (Nov 12)
- Re: Microsoft Warns Customers Away From RC4 and SHA-1 Tim (Nov 13)
- Re: Microsoft Warns Customers Away From RC4 and SHA-1 Eric H. Christensen (Nov 13)
- cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Daniel Kahn Gillmor (Nov 13)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Tim (Nov 14)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Kurt Seifried (Nov 14)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Chris Palmer (Nov 14)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Kurt Seifried (Nov 14)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Chris Palmer (Nov 15)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Kurt Seifried (Nov 15)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Marcus Meissner (Nov 15)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Tim (Nov 15)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Seth Arnold (Nov 15)
- Re: Microsoft Warns Customers Away From RC4 and SHA-1 Tim (Nov 13)