On Apr 20, 2014, at 20:20, Joe User <mailingli...@rootservice.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 20.04.2014 18:40, Matti Nykyri wrote: >> On Apr 20, 2014, at 15:38, Mick <michaelkintz...@gmail.com> wrote: >> >>> On Sunday 20 Apr 2014 10:10:42 Dale wrote: >>> >>> Just a 1/3 of all websites offer TLSv1.2 at the moment and hardly >>> any public sites offer it as an exclusive encryption protocol, >>> because they would lock out most of their visitors. This is >>> because most browsers do not yet support it. MSWindows 8.1 MSIE >>> 11 now offers TLSv1.2 by default and has dropped the RC4 cipher >>> (since November last year). I understand they are planning to >>> drop SHA-1 next Christmas and have already dropped MD5 because of >>> the Flame malware. This should push many websites to sort out >>> their encryption and SSL certificates and move away from using >>> RC4 and SHA1 or MD5. As I said RC4 has been reverted to by many >>> sites as an immediate if interim defence against the infamous >>> BEAST and Lucky Thirteen attacks. >> >> This is a problem all Microsoft's customers are facing. > > Take a look on Linux Distros from 2000 when WinXP has been developed, > and you'll see, that the Linux Distros weren't better in this. Same > for the time when WinVista was developed, and the same for Win7 and Win8. > So don't blame Microsoft for things that they did as good as everybody > else did, that would be unfair. Ok, that's a good point. Sorry, didn't really think about it that way. It's mostly a user issue for not updating their software. But still the point is correct that the ones that are suffering of this are their customers, although its not Microsoft's fault. But the number of people using a Linux Distro from the year 2000 is neglible... And of course there are many reasons for that. But what is something to blame Microsoft for is the order of preference that MSIE selects it's cipher. I don't know if user can change this order but i think it would be better to order them by security and not by some other factor ei speed. But thats just my oppinion and I usually try to stay away from windows :) >> Anyways I just wonder who trusts software whose source code isn't >> open and and reviewed by a large community that don't have a >> financial interest on you. > > Ouch, wrong argument, realy! Nobody in the large opensource community > had ever reviewed the heartbeat code in more than two years. This was > not a harmless bug in a mostly unused library, it was a realy big > issue in one of the most used library in the world and *nobody* saw it. > Has openssl ever been carefully audited? I don't think so and i bet > that there are more heartbleed like bugs in openssl. Yes heartbleed was solely a bug in openssl and yes it was truely severe and that should never ever be allowed to happen. > On the other hand schannel (the Windows cryptolib) is regularly audited. > Sorry, but the large opensource community is blind on both eyes, > whereas the closed source community is only blind on one eye. But I still disagree... Everybody has some goals why they are doing something.. Some of these goals might be private and some are public. The public and private goal need not to correlate. For any PLC their true goal is to make money for their stock holders. People are by nature greedy and put their own interests above everybody-else's. I think there are less of these greedy people within the open-source community than in general. How can you say that nobody is auditing the security of open-source software? We audit all the software and hardware we use! And every company should. Open-source is just easier coz you have the source to look at. Hardware is the trickiest one to audit of-course. Big agencies have capital to put their people to work in the closed source companies and try inject their goals to the code. It is even harder if you inject the vulnerability to hardware as claimed by Snowden. If you look at Linux kernel I think that is a quite good example on how software should be developed. The update cycle is fast and the few bugs that are found get fixed rapidly. And better the program is written the easier it is to debug and avoid security disasters. Just be reviewing a file you can see how well it is organized and that tells you about the quality of the program. All these things are mostly opinions and speculation because all the data has not been disclosed. Snowden revealed it to some extent but with that content you can analyze the hole extent of operations. What would you do if there were no limits? -- -Matti
