-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Hanno!
Despite not a being an active community member, I'd like to share my thoughts on it, if you don't mind. I certainly agree that this extension has a quite faulty specification and very questionable use. But perhaps, instead of just removing it from OpenSSL, we should try to make IETF deprecate it in a spec as well? Cheers, Fedor. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTTSVtAAoJEPsOEJWxeXmZfDoP/25Eqt9Ec3SCnqOrUaSg9D01 JtNWZ8s8xq0BDdcjSCzeYh3yHPhWK2JbIhxm3t0Dq1vUK+TZtxvBHl6Vr141JioD fM6WBGqr1eA8Htk5RkEC5xcIgDiEMs3xpGmeg0JYWaisPcdF9ChvPL51FII+FPXj V26RJKHQhu+3XBKi3z4pmlJOvQNHaQ4B8EFw66mAfgyAVBXbi/EyHOpuJ0vZ/Z0p WgPBnPSuhe8eu9Gmac440jvx/YHd+feYfjELw/vQiU5mZOCtgIKChu0hgSHQkke+ jTFGTTzBca/3wULAC3VtTFMwHif3bCHuN8GauuvW0NLemB3DslnbEYFCnYXp+vJl Dv6YJOyc2XUOw576La3ZdAgyAvSnFhnGjWodkVZRYZJsXheblJcWhXOoH5TDK5Zq mqIfTtFuPE5J2JplYs+Rgpjpss8F5hJgc1GbsfPqb4qU+VEN3DB0w2BdYBcSWt4B PiANM0OcuaTwWS15KECR+yoItUJwbZyHmqCIsFzHlWNzymD5wr8xdcUtq0HFo8oV B1G6vZXhoHxsB04xusK9kJZPwxbZXFL8hWwyvJprsPVEBD7v7taFHN01cItFXxGR pSWVa0PdJc7JzvAOpJhXKKAqiQtr/cNcAUSl+BGXBkhzFMs5sPYVCXaD0a+01piw jEjk3196JpBMEJOUBDbF =Z4D3 -----END PGP SIGNATURE----- On Tue, Apr 15, 2014 at 4:17 PM, Hanno Böck <ha...@hboeck.de> wrote: > Hi, > > I think this question needs to be asked. > > We have a TLS extension here that - as far as I can see - nobody uses. > I have asked in different contexts recently if anyone is aware of real > software that makes use of the heartbeat extension. I got often > answerts like "it could be used for X", but not a single one of them > saying "there is software Y that does X with it". Also, a search on > ohloh turned up nothing. > > I think there is no justification to have an extension that gets > enabled by default around if it is not used. So I propose that openssl > either disables it in the default build or removes it completely. > I'd suggest the first one if there are reasonable chances that anyone > might use it in the future. > > And: I'd like to see a discussion on what further unused features there > are in OpenSSL that could be disabled just to reduce attack surface. > E.g. I could think of removing DSA key support, because nobody uses that > anyway and DSA is a bad algorithm. > > cu, > -- > Hanno Böck > http://hboeck.de/ > > mail/jabber: ha...@hboeck.de > GPG: BBB51E42 >