[Info-vax] OpenSSL CSWS-2.2-1
Bill Gunshannon
bill.gunshannon at gmail.com
Wed Jun 5 12:33:20 EDT 2019
On 6/5/19 12:02 PM, Phillip Helbig (undress to reply) wrote:
> In article <qd7kb1$95k$1 at dont-email.me>, Dave Froble
> <davef at tsoft-inc.com> writes:
>
>> You're missing the point. If a significant part of some companies
>> business is with a trading partner who will not upgrade their SSL
>> capabilities, and you have no way to get them to change, then, you do
>> what you have to do to stay in business.
>
> Indeed. While I understand the purpose of both encryption and
> authentication, many SSL implementations will refuse to connect if the
> offered ciphers are deemed to be insecure, rather than having an option
> (more common in web browsers) saying: "there is a problem, but if you
> know what you are doing, you can continue". Without that option, SSL is
> a non-starter if the other side is "too old", which is why some people
> still run telnet. Even if the cypher is not up to date, it is still
> better than no encryption, and at least there is authentication.
>
Having considerable experience with the subject at hand, I can
assure you that if the cypher is not up to date it is not better
than no encryption. It is the same as no encryption. The days
if security by obscurity should be long gone by this point.
bill
More information about the Info-vax
mailing list