> As a knowledgeable user, I despise user interfaces like that As a knowledgeable user, you are in the minority and it is certainly your right to complain if your choices are restricted.
> and tend to recommend against such products even for novices. I firmly believe this is wrong. > A good user interface would provide a strength-sorted list of check Strength isn't absolute and unchanging. Which is stronger -- RC4 or AES? (See http://threatpost.com/attack-exploits-weakness-rc4-cipher-decrypt-user-sessions-031413/ and http://www.openssl.org/news/secadv_20130205.txt ) > The key non-experimental benefit of such fine grained control is that > it allows an administrator to work around new threats without having > to wait for OpenSSL to release an updated library This can also be done by having crypto profiles in the application, and just changing those profiles values. FWIW, we are doing something like this at Akamai. Our info-sec team will create and own a handful of crypto profiles, and we will be pushing customers to just use those profiles, rather than enter "raw" OpenSSL strings themselves. One of the driving forces for this was my review of a couple of thousand of cipher-suite specifications created by customers and Akamai staff. Not a pretty sight. :) /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
