[Cryptography] DROWN attack on SSLv2 enabled servers
Perry E. Metzger
perry at piermont.com
Sun Mar 6 19:31:11 EST 2016
On Sun, 6 Mar 2016 20:29:24 +0000 ianG <iang at iang.org> wrote:
> The fundamental systemic problem I believe is that few of the
> crypto projects have a holistic view to upgrade. Instead, they've
> preferred to travel with the false sirens of algorithm agility.
>
I have no idea what this is intended to mean. However, the OpenSSL
people have been working very, very hard on cleaning up their code
since Heartbleed, and the security community has been focusing very
seriously on finding associated holes in the protocols and
implementations. After 1.1 gets released, a lot of the current issues
are likely to start sunsetting, though it will take some time for the
code to get widely deployed.
Perry
--
Perry E. Metzger perry at piermont.com
More information about the cryptography
mailing list