Am 07.11.2013 21:29, schrieb Thijs Alkemade:
On 7 nov. 2013, at 20:50, Alexander Holler <[email protected]> wrote:
"up to date" is the keyword here. E.g. squeeze is still supported but it's
openssl doesn't support TLSv1.2. And even if it would be EOL, I would like it, if I would
have the freedom to choose myself, when I stop using it.
And some people might still want to use SSLv2 with DES, but it’s really not a
good reason to keep using protocols with known vulnerabilities. If we were
adjusting the requirements so even the laziest admins wouldn’t need to do
anything, then it would hardly be a manifesto.
Sure, therefor I'm here and speak against the requirement for TLSv1.2. The
manifesto sounds like it might be a good idea to enforce that requirement on
the S2S too, and that clearly isn't what should be done in my opinion.
There’s no such requirement in the manifesto and I know many people would be
against doing that right now.
I already seem to be pretty alone with letting the user choose what he thinks
he needs (I'm pretty in support of encouraging strong encryption, just not of
_requiring_ it, at least not now).
There’s also no requirement for “strong” encryption, unless you count the MTI
cipher suite TLS_RSA_WITH_AES_128_CBC_SHA from 6120 or the requirement to
prefer forward-secret cipher suites.
In any case, the attack vector here isn't that the NSA or GCHQ are
targetting you specifically. It's that they're targetting everyone, and
keeping that information around in case they need it later. This is why
we're suggesting encrypting everything, and with PFS, so that it's
worthless, and so they *need* to target you to snoop on you.
I know that all that (don't misinterpret the fact that I've forgotten that DH
is supported by openssl since a long time), but I wouldn't use my server for
any communication I want to be secret. At least not for stuff which isn't p2p
encrypted (and XMPP usually is not).
You don’t care about security, you don’t want your communication to be secret…
why are you even discussing this? You’re derailing this thread with
misinformation and showing an unwillingness to change anything.
Sorry, people, do you all like to turn the words in my mouth into
something I haven't said?
What a scarry list.
I nevery said I don't want that my communication is secret and I never
said that I don't care about security. I just have said that I don't
care if the communication I do through XMPP on my little server uses
strong encryption. And no word about security.
And that doesn't mean that I don't care about my privacy, in fact a care
a lot, I'm just not that silly to think that I could use XMPP for that
whithout P2P encryption. That's a whole different thing than you want to
imply.
Thanks for beeing that iniquitous.
Alexander Holler
_______________________________________________
JDev mailing list
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: [email protected]
_______________________________________________
