From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 81185138A1F for ; Mon, 21 Apr 2014 06:58:20 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4A6F8E08BD; Mon, 21 Apr 2014 06:58:14 +0000 (UTC) Received: from lyseo.edu.ouka.fi (unknown [82.128.138.2]) by pigeon.gentoo.org (Postfix) with ESMTP id F3817E0831 for ; Mon, 21 Apr 2014 06:58:12 +0000 (UTC) Received: from [10.188.25.72] (85-76-134-102-nat.elisa-mobile.fi [85.76.134.102]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by lyseo.edu.ouka.fi (Postfix) with ESMTPSA id 9DC59193F981 for ; Mon, 21 Apr 2014 09:57:40 +0300 (EEST) Subject: Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones References: <201404171649.57228.michaelkintzios@gmail.com> <201404200927.54238.michaelkintzios@gmail.com> <53538F12.7080600@gmail.com> <201404201338.53817.michaelkintzios@gmail.com> <801A9D1D-60CA-40B6-889F-AA84F470E0D4@iki.fi> <3gBd8p3tzBz62Yt@devnoip.rootservice.org> From: Matti Nykyri Content-Type: text/plain; charset=us-ascii X-Mailer: iPhone Mail (9B206) In-Reply-To: <3gBd8p3tzBz62Yt@devnoip.rootservice.org> Message-Id: Date: Mon, 21 Apr 2014 09:57:22 +0300 To: "gentoo-user@lists.gentoo.org" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 (1.0) X-Archives-Salt: c1c84253-9a64-4190-ad0a-dafbd425d133 X-Archives-Hash: c44db86cc7156c1c5b238f1b15300a39 On Apr 20, 2014, at 20:20, Joe User wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 >=20 > On 20.04.2014 18:40, Matti Nykyri wrote: >> On Apr 20, 2014, at 15:38, Mick wrote: >>=20 >>> On Sunday 20 Apr 2014 10:10:42 Dale wrote: >>>=20 >>> Just a 1/3 of all websites offer TLSv1.2 at the moment and hardly >>> any public sites offer it as an exclusive encryption protocol, >>> because they would lock out most of their visitors. This is >>> because most browsers do not yet support it. MSWindows 8.1 MSIE >>> 11 now offers TLSv1.2 by default and has dropped the RC4 cipher >>> (since November last year). I understand they are planning to >>> drop SHA-1 next Christmas and have already dropped MD5 because of >>> the Flame malware. This should push many websites to sort out >>> their encryption and SSL certificates and move away from using >>> RC4 and SHA1 or MD5. As I said RC4 has been reverted to by many >>> sites as an immediate if interim defence against the infamous >>> BEAST and Lucky Thirteen attacks. >>=20 >> This is a problem all Microsoft's customers are facing. >=20 > Take a look on Linux Distros from 2000 when WinXP has been developed, > and you'll see, that the Linux Distros weren't better in this. Same > for the time when WinVista was developed, and the same for Win7 and Win8. > So don't blame Microsoft for things that they did as good as everybody > else did, that would be unfair. Ok, that's a good point. Sorry, didn't really think about it that way. It's m= ostly a user issue for not updating their software. But still the point is c= orrect that the ones that are suffering of this are their customers, althoug= h its not Microsoft's fault. But the number of people using a Linux Distro f= rom the year 2000 is neglible... And of course there are many reasons for th= at. But what is something to blame Microsoft for is the order of preference that= MSIE selects it's cipher. I don't know if user can change this order but i t= hink it would be better to order them by security and not by some other fact= or ei speed. But thats just my oppinion and I usually try to stay away from w= indows :) >> Anyways I just wonder who trusts software whose source code isn't=20 >> open and and reviewed by a large community that don't have a=20 >> financial interest on you. >=20 > Ouch, wrong argument, realy! Nobody in the large opensource community > had ever reviewed the heartbeat code in more than two years. This was > not a harmless bug in a mostly unused library, it was a realy big > issue in one of the most used library in the world and *nobody* saw it. > Has openssl ever been carefully audited? I don't think so and i bet > that there are more heartbleed like bugs in openssl. Yes heartbleed was solely a bug in openssl and yes it was truely severe and t= hat should never ever be allowed to happen. > On the other hand schannel (the Windows cryptolib) is regularly audited. > Sorry, but the large opensource community is blind on both eyes, > whereas the closed source community is only blind on one eye. But I still disagree... Everybody has some goals why they are doing somethin= g.. Some of these goals might be private and some are public. The public and= private goal need not to correlate. For any PLC their true goal is to make m= oney for their stock holders. People are by nature greedy and put their own i= nterests above everybody-else's. I think there are less of these greedy peop= le within the open-source community than in general. How can you say that nobody is auditing the security of open-source software= ? We audit all the software and hardware we use! And every company should. O= pen-source is just easier coz you have the source to look at. Hardware is th= e trickiest one to audit of-course. Big agencies have capital to put their p= eople to work in the closed source companies and try inject their goals to t= he code. It is even harder if you inject the vulnerability to hardware as cl= aimed by Snowden. If you look at Linux kernel I think that is a quite good example on how soft= ware should be developed. The update cycle is fast and the few bugs that are= found get fixed rapidly. And better the program is written the easier it is= to debug and avoid security disasters. Just be reviewing a file you can see= how well it is organized and that tells you about the quality of the progra= m. All these things are mostly opinions and speculation because all the data ha= s not been disclosed. Snowden revealed it to some extent but with that conte= nt you can analyze the hole extent of operations. What would you do if there= were no limits? --=20 -Matti