ietf
[Top] [All Lists]

On barnacles, drowning and why it is time to kill SSLv3 on the IETF mail server.

2016-03-01 11:41:20
http://arstechnica.com/security/2016/03/more-than-13-million-https-websites-imperiled-by-new-decryption-attack/

Now can we please stop the discussion of why the IETF has to kill SSL3?

You do not get better security by deploying stronger crypto. You only
get better security by stopping using insecure crypto.

Keeping the SSL2 code paths in OpenSSL was a MISTAKE.They should be
excised with great prejudice and the code thrown into the hottest bit
furnaces of mount Mordor. AQnd the SSL3 code paths should follow them.

Maintaining legacy support for obsolete crypto positively harms good
crypto implementations. I don't want to see the code in the
distribution at all. Nor do I want to see support for the kitchen sink
of 40 obsolete crypto algorithms.

Killing off obsolete and broken crypto is actually more important than
developing the new stuff.

If people can't figure out how to find an email provider who can
support standards that have been published for over ten years now then
I have to wonder what value they provide to a standards organization.

One of the big problems at CERN was the attachment to obsolete FORTRAN
code bases even when it was known that they were absolutely riddled
with bugs. Throwing away the old crappy systems might seem a waste but
code and specifications do wear out. Support for legacy systems and
corner cases accumulate over time like barnacles on a sailing ship. If
you don't beech the ship from time to time and scrape off the
accumulated dreck, the ship gets slower and slower and eventually it
will sink.

OpenSSL has drowned because they didn't scrape off the barnacles. Lets
stop arguing over whether it is time to kill SSL3.

<Prev in Thread] Current Thread [Next in Thread>
  • On barnacles, drowning and why it is time to kill SSLv3 on the IETF mail server., Phillip Hallam-Baker <=