On 2016-Aug-07 15:25:54 +0300, Andrey Chernov <a...@freebsd.org> wrote:
>You should address your complains to original openssh author instead, it
>was his decision to get rid of weak algos.

No.  It's up to the person who imported the code into FreeBSD to understand
why the change was made and to be able to justify it to the FreeBSD
community.  Firstly, security is not absolute - it's always a cost-benefit
tradeoff and different communities may make different tradeoffs.  Secondly,
the importer needs to be confident that the code is actually an improvement,
not an attempt by a bad actor to undermine security.

> In my personal opinion, if
>your hardware is outdated, just drop it out.

This is part of the cost-benefit analysis.  Replacing hardware has a real
cost.  If it's inside a datacentre, where the management LAN is isolated
from the rest of the world, there may be virtually no benefit to disabling
"weak" ciphers.

>We can't turn our security
>team into compatibility team, by constantly restoring removed code, such
>code quickly becomes outdated and may add new security holes even being
>inactive.

OTOH, FreeBSD has a documented deprecation process that says things will
continue working for a major release after being formally deprecated.  I
don't believe there was any mention about DSA being deprecated before now so
I would expect there to be a clearly documented process to restore the
ability for a FreeBSD-11 ssh client to talk to a server using 1024-bit DSA.
Note that the handbook still talks about using DSA - that needs updating as
well.

-- 
Peter Jeremy

Attachment: signature.asc
Description: PGP signature

Reply via email to