Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday June 20 2018, @03:32AM   Printer-friendly
from the die-die-die dept.

As TLS 1.3 inches towards publication into the Internet Engineering Task Force's RFC series, it's a surprise to realise that there are still lingering instances of TLS 1.0 and TLS 1.1.

The now-ancient versions of Transport Layer Security (dating from 1999 and 2006 respectively) are nearly gone, but stubborn enough that Dell EMC's Kathleen Moriarty and Trinity College Dublin's Stephen Farrell want it formally deprecated.

This Internet-Draft (complete with “die die die” in the URL) argues that deprecation time isn't in the future, it's now, partly because developers in recalcitrant organisations or lagging projects probably need something to convince The Boss™ it's time to move.

The last nail in the coffin would be, formally and finally, to ban application fallback to the hopelessly insecure TLS 1.0 and 1.1 standards.

Deprecation also removes any excuse for a project to demand support for all four TLS variants (up to TLS 1.3), simplifying developers' lives and reducing the risk of implementation errors.

[...] The publication of TLS 1.3 into the RFC stream is imminent – it's reached the last stage of the pre-publication process, author's final review. When it's published, it will carry the designation RFC 8446.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by driverless on Wednesday June 20 2018, @10:42AM (3 children)

    by driverless (4770) on Wednesday June 20 2018, @10:42AM (#695534)

    As a followup based on a PM, since I never set any benchmark for what resources it would take, let's say you can call something "hopelessy insecure" if you can achieve either full plaintext recovery or full message forgery in close to real time, say 5 seconds or less. That figure is chosen so it won't be noticed by the victim if there's too much delay, maybe 30s for a web site but for something like SIP it'd have to be close to real time, 5s seems a good compromise.

    So I'll modify my previous challenge to say that "you can call it hopelessy insecure if you can demonstrate full plaintext recovery or message forgery in five seconds or less against TLS 1.0 or 1.1 for a typical target site like eBay or Paypal".

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2) by FakeBeldin on Wednesday June 20 2018, @11:10AM (2 children)

    by FakeBeldin (3360) on Wednesday June 20 2018, @11:10AM (#695536) Journal

    I would still not consider that "hopelessly insecure".
    For me, hopelessly insecure is when a non-expert with access to Google can break the security in 5 minutes or less.

    If someone is able to break Paypal or eBay, it might just mean that that person is good at this (or: spend enough effort to defeat them).

    • (Score: 2) by darkfeline on Thursday June 21 2018, @03:25AM (1 child)

      by darkfeline (1030) on Thursday June 21 2018, @03:25AM (#695983) Homepage

      By that definition, being vulnerable to SQL injection attacks or storing passwords hashed using MD5 and unsalted is not "hopelessly insecure". Hell, ROT13 might barely escape being "hopelessly insecure", given the average person's comprehension skills.

      --
      Join the SDF Public Access UNIX System today!
      • (Score: 2) by FakeBeldin on Thursday June 21 2018, @07:31AM

        by FakeBeldin (3360) on Thursday June 21 2018, @07:31AM (#696079) Journal

        ...which underscores that I feel that "hopelessly insecure" is a very strong statement.
        If the average person that understands the security purpose of a device/security control cannot trivially break it, then I believe "hopelessly" is an overstatement.

        Note that not all SQL injection may not fall under this: I'd be surprised if you couldn't learn within 5 minutes to type "test; DROP DATABASE" into a form field.