On Thu, May 14, 2015, at 10:20, Patrick Proniewski wrote: > On 14 mai 2015, at 16:13, jungle Boogie wrote: > > > On 14 May 2015 at 06:08, Mark Felder <f...@freebsd.org> wrote: > >> > >> TLS 1.0 is dead and is even now banned in new installations according to > >> the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported > >> by *any* HTTPS site now. > > > > > > Here, here! We ONLY have 1.0 enabled until the hardware vendor can > > upgrade their software. I'm looking to celebrate the day when we have > > 1.1 and 1.2 enabled. > > > That's always the problem with guys like you and me who live in the real > world. We can't cope with "what should be dead and no longer used". > Deprecated tomcat/Java/SSL/You-name-it software that you can't just > upgrade because it's used with hardware/software you can't get rid of. > At work we are in the ridiculous state where we have to package old > browser + old Java into VMware ThinApp "bubbles" to access production > tools. > > Removing TSL 1.0 is not a good move. It's possible to provide SSL with > TLS 1.2, having protection against protocol downgrade, and still provide > TLS 1.1 and 1.0 for older browsers. >
I'm in the same boat right now fighting with a vendor who can't get their software to work beyond Java 1.7u45 (Java 7 is EoL ...) You can and will get rid of it when the cost of maintaining that awful, insecure software stack is more than throwing it away and cutting your losses. There is a righteous push right now for security and for new development practices: release early, release often, keep your software tested and working against modern software and libraries. This creates work for corporations and increases the cost of maintaining their cash cows. It's going to cut into their bottom lines. They're going to get angry. But their software is going to be better for it. Right now it's too easy to hack and compromise because the entire internet is lazy. Bad security practices have completely poisoned the well and it's time to forcibly drain it and start anew. It's going to hurt, and it's not going to be fun for grandma because someone needs to pick up the slack and make keeping up to date and secure computing a thoughtless task. For example, Windows 10 looks to eventually be a rolling release; strategies like that will help keep end-users up to date and secure. Personally I agree with phk that we don't need https *everywhere*. However, if you're going to implement crypto you need to do it right. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
