[Cryptography] OPENSSL FREAK

ianG iang at iang.org
Mon Mar 23 21:12:57 EDT 2015

On 23/03/2015 18:11 pm, WebDawg wrote:
> I had a question that may seem a bit late but:  why are/were the export
> ciphers still put into a current SSL suite?

The answer is in parts.

1.  In the 1990s it was believed that cipher agility was a good thing. 
Everyone had the right to propose their own pet algorithm and get it in 
there.  (Since then, we've figured out this is a very bad idea...)

1.b  There was a notion that having extra ciphers was good because we 
could always switch over if the need ever arose...

2.  Nobody created a plan, or a protocol, or a ceremony, or anything 
that actually told us how 1 billion browser users and 1 million server 
sysadmins would actually ... switch.  So when the time came, the switch 
couldn't be used, and wasn't relevant.

2.b  And of course, there was no plan/process/ceremony/desire to retire 
any algorithms.


More information about the cryptography mailing list