On Tue, Sep 09, 2014 at 10:40:26AM -0400, Salz, Rich wrote:
> That should probably also be done. But things like HIGH LOW,
> etc are point-in-time statements and raising the bar so that existing
> applications just get more secure without having to change anything
> is also worth doing.
This is often a misconception. There are two "bars" that can be
raised. The "floor" and the "ceiling".
Raising the ceiling (strength of most preferred algorithms) improves
security. For example implement ChaCha with Poly1305, and prefer
it to RC4.
Raising the floor often breaks interoperability, and leads to people
disabling security or automatically failing over to cleartext, ...
https://www.ietf.org/mail-archive/web/perpass/current/msg00654.html
While there are minor inaccuracies in that post, the core points
stand.
Far more productive than disabling RC4 would be ensuring that it
is not the preferred cipher suite when better options are enabled.
To improve security, raise the ceiling. ChaCha, new EC curves,
extensions to negotiate DH parameters, ... Raising the floor can
do more harm than good.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
