[Cryptography] OPENSSL FREAK
iang at iang.org
Sat Mar 28 17:35:15 EDT 2015
On 28/03/2015 18:05 pm, Tony Arcieri wrote:
> On Sat, Mar 28, 2015 at 6:37 AM, ianG <iang at iang.org
> <mailto:iang at iang.org>> wrote:
> My point can then be interpreted as, until you find a way to disable
> the bad thing of insecure ciphers, cipher agility earns the title.
> Without cipher agility, you're stuck using the bad ciphers forever until
> you throw away the protocol and start over.
Yes. Do that. Not upgrading the protocol, not starting over is also a
bad thing. Indeed, it's seems to be about an order of magnitude bigger
badder thing, according to discovered bugs.
(Note that this assumption is a core assumption in the anti-agility
approach - we are probably needing to replace our entire protocol every
5-10 years. If we could write protocols as well as we wrote algorithms,
we wouldn't need to worry about it.)
More information about the cryptography