[Cryptography] OPENSSL FREAK
ianG
iang at iang.org
Sat Mar 28 09:37:35 EDT 2015
On 28/03/2015 05:42 am, Tony Arcieri wrote:
> On Tue, Mar 24, 2015 at 4:00 PM, ianG <iang at iang.org
> <mailto:iang at iang.org>> wrote:
>
> 1. In the 1990s it was believed that cipher agility was a
> good thing.
> Everyone had the right to propose their own pet algorithm
> and get it in
> there. (Since then, we've figured out this is a very bad
> idea...)
>
>
> You answer is twisting facts. The export ciphers were not because
> everyone could propose their own pet algorithm. The export
> ciphers were
> part of the core SSL 3.0 specification. Whether the specification
> allowed its extension beyond the export ciphers is irrelevant.
> Actually,
> the fact that today we use AES instead of RC4-40 is just because
> SSL 3.0
> had agility.
>
>
> He :) well, what you're saying isn't so different, so, I'll move on.
>
>
> Nikos's point is pretty important. Going back to what you said:
>
> "In the 1990s it was believed that cipher agility was a good thing."
>
> Cipher agility is definitely a good thing. The bad thing is failing to
> disable insecure ciphers.
My point can then be interpreted as, until you find a way to disable the
bad thing of insecure ciphers, cipher agility earns the title.
iang
More information about the cryptography
mailing list