[haiku-bugs] [Haiku] #11915: General cipher security level

• From: "ronald-scheckelhoff-trac" <trac@xxxxxxxxxxxx>
• Date: Fri, 20 Mar 2015 17:45:37 -0000

#11915: General cipher security level
--------------------------------------+------------------------------
 Reporter:  ronald-scheckelhoff-trac  |        Owner:  nobody
     Type:  bug                       |       Status:  new
 Priority:  normal                    |    Milestone:  R1/beta1
Component:  Network & Internet        |      Version:  R1/Development
 Keywords:  cipher suites             |   Blocked By:
 Blocking:                            |  Has a Patch:  0
 Platform:  All                       |
--------------------------------------+------------------------------
 This "bug" report is in a gray area between bug report and suggestion.
 The latest nightly I've tested (hrev 48882) allows the use of 40 bit
 ciphers.  These are generally considered very bad to use, and easily
 broken.  Many out-of-the-box distros disallow them completely (Linux,
 etc).  However; it's a sticky issue because some sites that require these
 antiquated cipher suites may break if the browser/ssllib/network substrate
 doesn't allow them.

 This "bug/not-bug" is therefore something that requires a judgement to be
 made, rather than just pointing to a particular coding problem.  I'm not
 the expert here, but I can look at other distros that have tackled it
 differently. For instance, GNUtls on FreeBSD, by default, doesn't allow
 anything less than 128 bits.  Whether this is a problem to be handled at a
 low level (libs) or a high level (apps) is also a matter of judgement.

 IMO this should be looked at prior to R1, maybe beta, and should include
 scores of other security related issues, including protocol, cert,
 security vulnerability, and cipher issues.  Maybe this is solved (or not)
 by a simple upgrade of the affected library versions, but I'm sure my
 opinion of this is not as good as the official Haiku security-dev gurus.
 :-)

 To see the ciphersuite  list currently provided by the Haiku software
 stack, use Webpositive and go to
 https://www.ssllabs.com/ssltest/viewMyClient.html

--
Ticket URL: <https://dev.haiku-os.org/ticket/11915>
Haiku <https://dev.haiku-os.org>
Haiku - the operating system.

• Follow-Ups:
  • [haiku-bugs] Re: [Haiku] #11915: General cipher security level
    • From: ronald-scheckelhoff-trac
  • [haiku-bugs] Re: [Haiku] #11915: General cipher security level
    • From: waddlesplash
  • [haiku-bugs] Re: [Haiku] #11915: General cipher security level
    • From: anevilyak
  • [haiku-bugs] Re: [Haiku] #11915: General cipher security level
    • From: ronald-scheckelhoff-trac
  • [haiku-bugs] Re: [Haiku] #11915: General cipher security level
    • From: ronald-scheckelhoff-trac
  • [haiku-bugs] Re: [Haiku] #11915: General cipher security level
    • From: axeld

Other related posts:

• » [haiku-bugs] [Haiku] #11915: General cipher security level - ronald-scheckelhoff-trac
• » [haiku-bugs] Re: [Haiku] #11915: General cipher security level- ronald-scheckelhoff-trac
• » [haiku-bugs] Re: [Haiku] #11915: General cipher security level- waddlesplash
• » [haiku-bugs] Re: [Haiku] #11915: General cipher security level- anevilyak
• » [haiku-bugs] Re: [Haiku] #11915: General cipher security level- ronald-scheckelhoff-trac
• » [haiku-bugs] Re: [Haiku] #11915: General cipher security level- ronald-scheckelhoff-trac
• » [haiku-bugs] Re: [Haiku] #11915: General cipher security level- axeld

1. Home
2. haiku-bugs
3. Archive
4. 03-2015

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---