What to do about SSL strength - refocused

George Staikos staikos at kde.org
Thu Mar 9 10:05:23 GMT 2006


On Wednesday 08 March 2006 13:49, Charles Samuels wrote:
> I've always liked the idea of not only having a blacklist, but also shaming
> the web sites.  We can use this in the case of SSL, JavaScript, and DNS.
>
> By shaming, I mean, tell the user that this web site is "known by the KDE
> team to be defective" and that "corrective measures" have been taken as a
> workaround.
>
> This way:
> - We don't get bug reports (in theory ;)
> - Users get their web site
> - The web site may receive enough embarrassment to be fixed.
>
> Ideally, we would publish this list somewhere from which KDE can download
> updates regularly.

  Here's the problem with this.  As far as I'm concerned, I'm not interested.  
I have no plans to implement this code, maintain this list, or be involved in 
chasing down sites in any way at all.  For my purposes, 128bit is secure 
enough.  By the time someone with desire to do bad to -me- has enough 
computing power to do so, the data I encrypted will be obsolete.  In the 
future we will of course support 168, 256, and more.  For now, all I care 
about is that it is "secure enough" and that sites just work.

   I also think it's a monumental task to debug each of these and determine 
what the problem is, then track each of those sites to determine if and when 
they fix themselves.

   So to bring this thread back on topic, I'm faced with one choice of two:
1) Do nothing, the sites are broken.  users will just not be able to access 
those sites until they fix themselves.
2) Disable strong ciphers by default and/or have OpenSSL negotiate "known 
good" ciphers before the new 256/168 ones again.

   I haven't heard any other suggestion that I'm willing to deal with.  If 
someone else wants to do something different, as long as they don't "break 
the internet" further, that's fine with me.  Be warned, you face The Wrath Of 
George if you break KSSL or significantly increase my bug tracking load.

-- 
George Staikos
KDE Developer				http://www.kde.org/
Staikos Computing Services Inc.		http://www.staikos.net/





More information about the kde-core-devel mailing list