Date: Mon, 13 Sep 2021 00:10:33 +0200 From: Dan Lukes <dan@obluda.cz> To: freebsd-security <freebsd-security@freebsd.org> Subject: Re: Important note for future FreeBSD base system OpenSSH update Message-ID: <0c3a5f3c-fb07-fae3-22f3-28703c842deb@obluda.cz> In-Reply-To: <A8BD4882-6DCD-4A5B-BFEF-139C778FE82C@tetlows.org> References: <CAPyFy2A390kS_C3g=Y9QhQcJ06z_FKUxXsNvi9g2CdWF24pukg@mail.gmail.com> <CAPyFy2B04b0GtWoHFQwxht5vK4_cnApPXpDLXU%2BRvcR=2L9YxA@mail.gmail.com> <CAPyFy2Aw8Z3ngiM8YHApjjPRLZVC5MCN8TRQkh6pj2fSeM1zqw@mail.gmail.com> <8169A4A8-B8D1-4265-87C8-74ED4D34FBC8@fasel.at> <2bb56783-2727-9bea-7810-58969d91c00f@denninger.net> <A8BD4882-6DCD-4A5B-BFEF-139C778FE82C@tetlows.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12.9.2021 23:27, Gordon Tetlow via freebsd-security wrote: > Blaming the browser and other client providers (OpenSSH, etc) for a=20 > problem that is 100% because the devices are now abandoned by the=20 > manufacturer is the wrong place to focus your anger. We have an=20 > enormous problem in the industry of crappy embedded devices (like the=20 > OOB management plane) accruing technical security debt while the=20 > manufacturers give "a middle finger back" as you say. The=20 > supportability of the hardware needs to be baked into the purchasing=20 > decision. Commitments from the manufacturers on supportability=20 > timeframes are important to understand and budget into a hardware=20 > refresh cycle. "One size fits all" may be acceptable approach for unskilled home users, = but not for professional use. The security mechanism may be secure=20 enough for particular use even if there are known issues with the method = in question. There may be a various reason to abandon particular method/algorithm but = don't claim it's for my security because it's just not true. If=20 particular algorithm is not secure enough for me I'm not using it=20 despite it's supported. If algorithm is the best for particular case=20 (it's why I'm using it) the removal will decrease overall security of=20 such system.=A0 In no case the security will be increased. We should avoid to make decisions on behalf of skilled security officer=20 familiar with particular use case. Just my $0,02 Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0c3a5f3c-fb07-fae3-22f3-28703c842deb>