On Tue, Sep 09, 2014 at 10:40:26AM -0400, Salz, Rich wrote: > That should probably also be done. But things like HIGH LOW, > etc are point-in-time statements and raising the bar so that existing > applications just get more secure without having to change anything > is also worth doing.
This is often a misconception. There are two "bars" that can be raised. The "floor" and the "ceiling". Raising the ceiling (strength of most preferred algorithms) improves security. For example implement ChaCha with Poly1305, and prefer it to RC4. Raising the floor often breaks interoperability, and leads to people disabling security or automatically failing over to cleartext, ... https://www.ietf.org/mail-archive/web/perpass/current/msg00654.html While there are minor inaccuracies in that post, the core points stand. Far more productive than disabling RC4 would be ensuring that it is not the preferred cipher suite when better options are enabled. To improve security, raise the ceiling. ChaCha, new EC curves, extensions to negotiate DH parameters, ... Raising the floor can do more harm than good. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org