> As we all know, this will not be in 2.2.10... Please recall that > things must be in -trunk before being viable for backport to 2.2.x.
It's impossible to even express how disappointing this is ;( There are only two changes in TLS on the server side that have been identified to have any effect on phishing [1]. TLS/SNI is the easy one. A httpd fix will almost work by itself; the browsers already did their part [2]. Only the config changes implemented by all here are needed on the web server to turn the LAMPs on in a million small but secured sites. Which makes this the #1 easy fix for security in existing code bases, today, and since around 2004 [3]. This massive injection of activity will flow through in dozens of ways, e.g., by pulling more and more Linux guys into thinking about securing systems. What are the blockages? Mozo have offered money but don't know what to do or who to talk to? iang [1] The other is the PSK one which requires re-coding on the client side to be useful. Nice idea, but may take years to roll out. [2] in a concerted and serious effort from 2006 or so, the browser manufacturers implemented TLS/SNI. They also deprecated SSL v2, and actively chased sites to switch. TLS/SNI was one of the two reasons for actively going out there and badgering the sites, I forget the other reason. [3] The rest is really hard, like KCM and security UI. It requires end to end changes, and a lot of security re-thinking.
smime.p7s
Description: S/MIME Cryptographic Signature
