From: Joe User <mailinglists@rootservice.org>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
Date: Sun, 20 Apr 2014 19:20:13 +0200 [thread overview]
Message-ID: <3gBd8p3tzBz62Yt@devnoip.rootservice.org> (raw)
In-Reply-To: <801A9D1D-60CA-40B6-889F-AA84F470E0D4@iki.fi>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 20.04.2014 18:40, Matti Nykyri wrote:
> On Apr 20, 2014, at 15:38, Mick <michaelkintzios@gmail.com> wrote:
>
>> On Sunday 20 Apr 2014 10:10:42 Dale wrote:
>>
>> Just a 1/3 of all websites offer TLSv1.2 at the moment and hardly
>> any public sites offer it as an exclusive encryption protocol,
>> because they would lock out most of their visitors. This is
>> because most browsers do not yet support it. MSWindows 8.1 MSIE
>> 11 now offers TLSv1.2 by default and has dropped the RC4 cipher
>> (since November last year). I understand they are planning to
>> drop SHA-1 next Christmas and have already dropped MD5 because of
>> the Flame malware. This should push many websites to sort out
>> their encryption and SSL certificates and move away from using
>> RC4 and SHA1 or MD5. As I said RC4 has been reverted to by many
>> sites as an immediate if interim defence against the infamous
>> BEAST and Lucky Thirteen attacks.
>
> This is a problem all Microsoft's customers are facing.
Take a look on Linux Distros from 2000 when WinXP has been developed,
and you'll see, that the Linux Distros weren't better in this. Same
for the time when WinVista was developed, and the same for Win7 and Win8.
So don't blame Microsoft for things that they did as good as everybody
else did, that would be unfair.
> Anyways I just wonder who trusts software whose source code isn't
> open and and reviewed by a large community that don't have a
> financial interest on you.
Ouch, wrong argument, realy! Nobody in the large opensource community
had ever reviewed the heartbeat code in more than two years. This was
not a harmless bug in a mostly unused library, it was a realy big
issue in one of the most used library in the world and *nobody* saw it.
Has openssl ever been carefully audited? I don't think so and i bet
that there are more heartbleed like bugs in openssl.
On the other hand schannel (the Windows cryptolib) is regularly audited.
Sorry, but the large opensource community is blind on both eyes,
whereas the closed source community is only blind on one eye.
- --
Kind Regards, Mit freundlichen Grüssen,
Markus Kohlmeyer Markus Kohlmeyer
PGP: 0xEBDF5E55 / 2A22 1F71 AA70 1AD1 231B 0178 759F 407C EBDF 5E55
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQIcBAEBCgAGBQJTVAHEAAoJEHWfQHzr315VBREP/11tSjfwXJEOmJ4kC/PG+8lj
LN1vb/vMLWDny7HaTYRqCX8k49rhLCXTXeCB5sb10qeUX3rtqrudrYc/sGwI/H3E
euhiU4oGK4YLDEQkXQDtFaSjpV0hayNQZruiz7x1mFO5FB05IqBmbSmxZLgKndE/
ydRevZPjvX475yVQ8YBsZRlLP8JQnOfec+4pxh8X+pq8/7THWOpdMqmaXdHwZVkM
p0aZX3NBKQyFCtV/JTriQ/ByRC3OfDQbPY75qup13kr74B1222EGFpStU7TGedgR
A+N36/9VrH/DCObQ78c8hsDfjLgRE5eJXBuYlL9dznKM68DrXGVP3hRkvuRozdQx
KlNeQalkVd2p561dY0m92sCqitQIlTJ4uYEMeo4uIURYfBecQz/21Hk4cAATd+Yo
IFamC3N8lO/iww4JsAzPgaywi2mkBzxH5o0jmSjmUW/aq/Mype7FADE9yFBNYr9P
+E/d8AItXM7ouVfE2n55iz7i8wKIeyxZ2Ob1JMP0Bidxv9haihYMA6VYlmkryPmk
TtR+oLxsGywRz21rBghOvzuyy7cyfBX2uHCo55VmxYIVGMfnYKF4ww/5iomgVtwp
wTRo8JYPu8ixW9GAwtfoydEr4N4WMWyqHveNX+YqQMiQqlz2U1MieL/ILyHplRh8
PU4uCElXb5sYR6/w0KEV
=5FIt
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2014-04-20 17:20 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-16 10:52 [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones Tanstaafl
2014-04-16 11:14 ` Matti Nykyri
2014-04-16 17:56 ` Tanstaafl
2014-04-17 5:59 ` Matti Nykyri
2014-04-17 6:10 ` Mick
2014-04-17 14:40 ` Matti Nykyri
2014-04-17 15:49 ` Mick
2014-04-17 16:54 ` Joe User
2014-04-17 18:43 ` Matti Nykyri
2014-04-17 20:17 ` [gentoo-user] " walt
2014-04-18 5:50 ` Matti Nykyri
2014-04-18 14:27 ` Dale
2014-04-18 16:45 ` Mick
2014-04-18 18:08 ` Dale
2014-04-18 19:01 ` Mick
2014-04-18 20:27 ` Dale
2014-04-18 23:33 ` Mick
2014-04-19 15:29 ` Dale
2014-04-19 15:43 ` Matti Nykyri
2014-04-19 19:33 ` Dale
2014-04-19 19:43 ` Joe User
2014-04-19 21:23 ` Dale
2014-04-20 0:18 ` Peter Humphrey
2014-04-20 8:49 ` Mick
2014-04-20 9:21 ` Matti Nykyri
2014-04-20 10:26 ` Mick
2014-04-19 16:11 ` Mick
2014-04-19 18:41 ` Dale
2014-04-20 8:27 ` Mick
2014-04-20 9:10 ` Dale
2014-04-20 12:38 ` Mick
2014-04-20 16:40 ` Matti Nykyri
2014-04-20 17:20 ` Joe User [this message]
2014-04-21 6:57 ` Matti Nykyri
2014-04-20 18:36 ` Dale
2014-04-19 11:51 ` [gentoo-user] " Mick
2014-04-19 13:17 ` Joe User
2014-04-19 15:38 ` Matti Nykyri
2014-04-19 16:40 ` Joe User
2014-04-19 17:14 ` Mick
2014-04-20 23:20 ` Mick
2014-04-21 7:11 ` Matti Nykyri
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3gBd8p3tzBz62Yt@devnoip.rootservice.org \
--to=mailinglists@rootservice.org \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox