<div dir="ltr"><br><div class="gmail_quote"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><div class="h5"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Have a look at the protocol. If a HELLO packet arrives, every implementation knows what to do. If a USE AES256 arrives, every node knows what to do.<br>
<br>
If a SWITCH NOW packet arrives, what would we do?<br>
<br>
There is no answer to that. There isn't even a SWITCH NOW packet...<br>
<br>
And, everyone's scratching their heads saying, wait, iang, you looney, that makes no sense at all.<br>
<br>
<br>
<br>
Now go helicopter: There's a mechanism to PUT IN the algorithms and CHOOSE the algorithms. But no mechanism to TAKE THEM OUT, nor to SWITCH.<br>
<br>
So obviously, uncontrolled growth was the order of the day, and at the micro level, down in the dirt, we get results like this:<span><br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The reason browsers kept the<br>
export ciphers, is mostly attributed to their strive for 100%<br>
compatibility with any legacy server out there.<br>
</blockquote>
<br>
<br></span>
The reason the browsers kept the export ciphers is because they haven't got a way to get rid of them *in the legacy servers*.<span><font color="#888888"><br>
</font></span></blockquote><div><br><br></div></div></div><div>I guess the problem I see with it all is that the ineffective algorithms are put into something that is depended on by a lot of people to secure a lot of information in a modern/competitive world. If someone needs to use those ineffective algorithms in their lawful version of whatever world they are in, it should be the work of that group to provide backwards capability and provide patches/whatever to provide it.<br><br></div><div>It keeps getting mentioned that they are put in there so people can keep interfacing to old outdated servers and services also, but what the heck? When has it ever been common place to keep something similar like a vulnerable script/code interpreter around so things just "work"?<br><br></div><div>Why is upgrading a protocol of a network infrastructure any different then the necessity of patching vulnerabilities in software code? Who cares if it breaks compatibility, it needs fixed.<br><br></div><div>I think it is even worse to do something like this, with a piece of software like this, because its primary function IS security/encryption. It is still a piece of code that is broke, it is just broke in a different way that does not need to be fixed, but pruned.<br><br></div><div>Even if a SWITCH or TAKE OUT was put into the code it is just another place to potentially exploit. The TAKE OUT sounds nice, but I would think in a CHOOSE, it would just remove the rest anyways. <br></div></div></div></div>
</div><br></div>