Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Since I don't agree, it cannot be everyone.

More precisely, I don't agree with web clients not connecting to old servers.



Security done properly requires some sacrifices. Keeping old insecure versions working means exposing users to trivial ways of breaking encryption.


If that were the actual principle being accurately followed, the first feature to have been removed from browsers would have been plain HTTP before any version of SSL.

Plain HTTP is what people resort to when their browser refuses to connect to an old device or server using HTTPS, which is worse than old SSL.


No, because clear lack of security is better than faux security. With older SSL versions, it's security that even creates extra risk for all clients (by leaking server secrets and allowing ciphersuites that don't have PFS).


What hogwash. You alert the user, problem solved.

The absurd idea that a user will have a 20 year old encrypted mail, because software still supports it, is ridiculous. What really happens is someone has a 20 year old mail no matter what, itcwill always exist, and the choice is, support it or not. Support it to be read, support it to be converted, warn the user, suggest fixes.

And your SSL example is senseless! In what world do you envision super secure stuff alongside weaker legacy, on the same damned server. You literally are not thinking sensibility about any of this, you examples are paper tigers.

This stance is absurb.


> You alert the user, problem solved.

How do you alert the users that are running the problematic software and haven't yet updated it? The very premise is ridiculous.

> What really happens is someone has a 20 year old mail no matter what, itcwill always exist, and the choice is, support it or not. Support it to be read, support it to be converted, warn the user, suggest fixes.

Well yeah and the choice should be to not support it. If the user needs those letters they can either decrypt or just re-encrypt them. It's silly to claim that a message can somehow be both so vital to be protected by encryption, but not upgraded to something more modern.

> And your SSL example is senseless! In what world do you envision super secure stuff alongside weaker legacy, on the same damned server.

I'm not envisioning it. Nobody should be running such old useless garbage. What was suggested earlier in this thread does not work and must not happen in practice.


How do you alert the users that are running the problematic software and haven't yet updated it? The very premise is ridiculous.

Where did you get the weird idea the software isn't updated? This entire discussion is about deprecation of older encryption methods in new versions of software.

You're not giving this thought. Good day.


Yes, but that is only needed to connect with old software that has not updated. Two pieces of new software will not negotiate on using old crypto even if they both support it.

In the trouble situations, one of the two pieces of software being upgraded is thrust upon the user.


> lack of security is better than faux security

Only when we are doing theatre. In the actual facts, lack of security is worse than inferior security.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: