On Wed, 01 Apr 2015 14:59:01 +0200 Chí-Thanh Christopher Nguyễn <chith...@gentoo.org> wrote:
> As far as I know this is correct. > All SSL protocol versions including v3 have known vulnerabilities. Yeah, but this is a pointless statement in the discussion. Nobody says we should deploy https via sslv3. Of course if people want https they mean "https as in 2015 https", not "https as in 199x https". > In addition, a number implementations of TLS 1.0 and 1.1 have been > found susceptible to the Poodle and/or FREAK attacks. Implementation bugs that can be fixed (and are fixed). FREAK is only an issue if you have crazy configured servers (again, https as in 199x), POODLE TLS is only affecting some crappy proprietary load balancers (and erlang, but nobody has proposed to use an erlang https server). People want to deploy pgp sigs (which is - to be clear - a good idea I fully support). I personally found countless minor security issues in gpg lately. Should that stop us from using pgp sigs? of course not. And the claims about https being a performance / cpu stress horror is also completely exaggerated. https performance is mostly a non-issue and based on urban legends rather than benchmarks. -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
