From owner-freebsd-security@FreeBSD.ORG Thu May 14 19:11:57 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7C0B73FD for ; Thu, 14 May 2015 19:11:57 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CC4B162F for ; Thu, 14 May 2015 19:11:56 +0000 (UTC) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id E1C3C22B65 for ; Thu, 14 May 2015 15:11:54 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute5.internal (MEProxy); Thu, 14 May 2015 15:11:54 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=HVPzX1UHe+q/9hd 4w1I5EtGJq78=; b=W6cgNLt9q3l9X74nl/arE8+NF2eYbixB9tw31dEDVJ0RuW0 8FjFN1DU2gLfz69euKjCuT6oKQvpj3zRmP1n2+4GOPvCNtnBZi5PGmk2YexjEIg4 /PD1CFna0q3PjCUXg8ZV5GUsXSCr9jxKuRhAgl1V4YIOUyXjO3xgkTlLg1zA= Received: by web3.nyi.internal (Postfix, from userid 99) id AC3D71049EE; Thu, 14 May 2015 15:11:54 -0400 (EDT) Message-Id: <1431630714.2625524.268991529.7AC9C0B4@webmail.messagingengine.com> X-Sasl-Enc: UtXulc20ATw5w+JKedy5qqPoHstmQF1p+RaWQ4e3+xQC 1431630714 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-e7ca9928 Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Thu, 14 May 2015 14:11:54 -0500 In-Reply-To: References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2015 19:11:57 -0000 On Thu, May 14, 2015, at 10:20, Patrick Proniewski wrote: > On 14 mai 2015, at 16:13, jungle Boogie wrote: > > > On 14 May 2015 at 06:08, Mark Felder wrote: > >> > >> TLS 1.0 is dead and is even now banned in new installations according to > >> the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported > >> by *any* HTTPS site now. > > > > > > Here, here! We ONLY have 1.0 enabled until the hardware vendor can > > upgrade their software. I'm looking to celebrate the day when we have > > 1.1 and 1.2 enabled. > > > That's always the problem with guys like you and me who live in the real > world. We can't cope with "what should be dead and no longer used". > Deprecated tomcat/Java/SSL/You-name-it software that you can't just > upgrade because it's used with hardware/software you can't get rid of. > At work we are in the ridiculous state where we have to package old > browser + old Java into VMware ThinApp "bubbles" to access production > tools. > > Removing TSL 1.0 is not a good move. It's possible to provide SSL with > TLS 1.2, having protection against protocol downgrade, and still provide > TLS 1.1 and 1.0 for older browsers. > I'm in the same boat right now fighting with a vendor who can't get their software to work beyond Java 1.7u45 (Java 7 is EoL ...) You can and will get rid of it when the cost of maintaining that awful, insecure software stack is more than throwing it away and cutting your losses. There is a righteous push right now for security and for new development practices: release early, release often, keep your software tested and working against modern software and libraries. This creates work for corporations and increases the cost of maintaining their cash cows. It's going to cut into their bottom lines. They're going to get angry. But their software is going to be better for it. Right now it's too easy to hack and compromise because the entire internet is lazy. Bad security practices have completely poisoned the well and it's time to forcibly drain it and start anew. It's going to hurt, and it's not going to be fun for grandma because someone needs to pick up the slack and make keeping up to date and secure computing a thoughtless task. For example, Windows 10 looks to eventually be a rolling release; strategies like that will help keep end-users up to date and secure. Personally I agree with phk that we don't need https *everywhere*. However, if you're going to implement crypto you need to do it right.