On 04/14/2010 02:58 AM, Marsh Ray:
Here are some excerpts from http://tools.ietf.org/html/rfc5746 I tried to cut out some of the irrelevant details so as not to "desensitize" everybody with too much information :-)
Thanks for your response here...
So the RFC RECOMMENDED many times against doing things that are ultimately unsafe, but is also realistic.
Perhaps quite right so...
I was counting on the vendors of user agents and minimally-inspecting firewalls to inform and motivate the patching process. We need visible warnings which increase in prominence over time if we are going to dig our way out of this.
It might be possible for the clients to ping the server if renegotiation (in old way) is supported at all. There are quite some servers out there that don't do that by default. With this, the pain could be perhaps mitigated.
If the connection fails to provide data integrity and/or confidentiality against a demonstrable MitM, at some point we just have to admit it's not a secure connection worthy of a locked icon.
The claim was made here that the client software can only truly know if a server is secure in case RFC 5746 is supported.
Let's call it a duck, get everyone patched, and move on
If that would have be as easy as you say it, we'd be living truly in a better world :-)
Perhaps the best thing which will happen, is that old browsers finally will see the end of their time once most servers did upgrade. When that will happen, who knows...
-- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: [email protected] Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
