Hi, I think this question needs to be asked.
We have a TLS extension here that - as far as I can see - nobody uses. I have asked in different contexts recently if anyone is aware of real software that makes use of the heartbeat extension. I got often answerts like "it could be used for X", but not a single one of them saying "there is software Y that does X with it". Also, a search on ohloh turned up nothing. I think there is no justification to have an extension that gets enabled by default around if it is not used. So I propose that openssl either disables it in the default build or removes it completely. I'd suggest the first one if there are reasonable chances that anyone might use it in the future. And: I'd like to see a discussion on what further unused features there are in OpenSSL that could be disabled just to reduce attack surface. E.g. I could think of removing DSA key support, because nobody uses that anyway and DSA is a bad algorithm. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
signature.asc
Description: PGP signature