Future of KSSL
George Staikos
staikos at kde.org
Fri Nov 17 19:11:52 GMT 2006
On 17-Nov-06, at 2:05 PM, Jernej Kos wrote:
>> This is not the right place to debate how to implement SSL, but
>> you must know that SSL is as much about the policy decisions as it is
>> about the cipher. Simply dropping a scramble over the wire without
>> having proper certificate validation is good for fooling only most
>> primitive of those who might want to observe traffic. It gains
>> almost nothing in terms of security.
>
> No doubt about it, but currently there is no alternative - KSSL
> does not work
> properly and the users need basic SSL support in version 0.8.0.
If you are not providing full certificate validation and
management, you are not providing even basic SSL. You should
probably issue a security advisory.
KSSL does work fine. It's apparently just missing a feature that
you want.
> After this release and after porting to KDE4/Qt4 security concerns
> can be
> addressed (in KDE4 KSSL will hopefully be fixed so I can use that
> again with
> all the certificate storage and validation you have there), but
> currently
> there is no such choice.
This is a very strange statement since SSL is about security, so
implementing SSL "without security" is a very strange thing.
--
George Staikos
KDE Developer http://www.kde.org/
Staikos Computing Services Inc. http://www.staikos.net/
More information about the kde-core-devel
mailing list