[Cryptography] OPENSSL FREAK

ianG iang at iang.org
Sat Mar 28 17:35:15 EDT 2015

On 28/03/2015 18:05 pm, Tony Arcieri wrote:
> On Sat, Mar 28, 2015 at 6:37 AM, ianG <iang at iang.org
> <mailto:iang at iang.org>> wrote:
>     My point can then be interpreted as, until you find a way to disable
>     the bad thing of insecure ciphers, cipher agility earns the title.
> Without cipher agility, you're stuck using the bad ciphers forever until
> you throw away the protocol and start over.

Yes.  Do that.  Not upgrading the protocol, not starting over is also a 
bad thing.  Indeed, it's seems to be about an order of magnitude bigger 
badder thing, according to discovered bugs.

(Note that this assumption is a core assumption in the anti-agility 
approach - we are probably needing to replace our entire protocol every 
5-10 years.  If we could write protocols as well as we wrote algorithms, 
we wouldn't need to worry about it.)


More information about the cryptography mailing list