On 17.09.2011 22:32, Pedro F. Giffuni wrote: > > > --- On Sat, 9/17/11, Rob Weir <[email protected]> wrote: > ... >> >> OpenSSL is a a validated module when run in "FIPS mode": >> >> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2009.htm#1111 >> >> But that would still apply to AES, not Blowfish. >> >> Think of it this way: FIPS 140 defines what the >> acceptable algorithms are. Then the actual modules, >> the actual libraries, are validated by 3rd party >> testing labs according to NIST criteria. If we use >> validated modules implementing approved algorithms, then >> we're golden. >> > > Thanks for this point. NSS is not certified and given the
where the heck did you get that idea? http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1280 > version OOo carries has known security issues I suggest > we kill the configure option to avoid hazards to our users. indeed the version shipped by OOo is outdated (3.12.6); newest one on the FTP server is: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_11_RTM/src/ (of course the OOo internal OpenSSL is similarly out of date...) > Without other options I prefer Blowfish to no security at all. > Again, patches for OpenSSL or any other certified solution > are welcome :). > > While here .. I also think we should kill mozilla: > > 1) The version we carry also has serious security issues. > 2) Google Chromium has a better license. but can Google Chromium read Mozilla address books? AFAIK that is all that OOo uses Mozilla for... > 3) I actually think we should be browser version agnostic. > >> I'd be happy if we had deep in some configuration dialog >> the ability for user (or more likely the IT department) >> to specify the algorithm to use. >> > > I would think it could be a compile time option so we could > name such switch "configure --with-ssl". > > See? Everyone happy now :). > > Cheers, > > Pedro.
