On 2/12/2025 2:34 PM, William Herrin wrote:
On Wed, Feb 12, 2025 at 9:58 AM Jack Bates <jba...@paradoxnetworks.net> wrote:
The software has no concept of what the data is
Which is why the software shouldn't be making a hard decision about
appropriate cryptography. The users on the two ends, the folks who do
know what the data is, should have the final say. The software should
set sensible defaults and then let those users decide what to do about
the large and growing gap of failure between the current default and
the often still allowed unencrypted plain text.
Most users don't have any idea and would allow an attacker to compromise
their bank connection if given the choice. The defaults are designed to
protect the majority?
That "curl https://enemieslist.com"; returns a fault is not
unreasonable. That "curl --insecure https://enemieslist.com"; also
fails reflects faulty thinking on the part of alleged security
experts.
I suspect --insecure has special meaning and shouldn't be overloaded to
include anything that is "insecure". However, curl depends on the
underlying libraries, and I believe it was those libraries that are
being compiled and installed with older stuff disabled. A quick search
shows you have to do custom builds to enable on any current system.
My personal pain point is out of band access to older servers. They're
well past the manufacturer's maintenance so there are no more software
updates. I can use nice modern VPN software to secure the channel
between me and their LAN, but I have to maintain obsolete versions of
web browsers and their dependent libraries along with obsolete
versions of Java because the modern ones won't connect. I'd rather
have less obsolete bug ridden software around, but the self-appointed
security experts have stolen that choice from me.
In my experience, except for Java incompatibilities itself, you can
usually tweak the configuration and exception rules to get Java to
connect and accept older signed packages. Sometimes you have to retweak
after an upgrade. FireFox appears to have quite a few options in
about:config to enable older stuff and also supports exception lists for
some things.
Of course, my experience is limited, and I may not be nearly as archaic
as you.
Jack
