[Info-vax] BridgeWorks

Dave Froble davef at tsoft-inc.com
Tue Jul 23 15:16:20 EDT 2024 

On 7/22/2024 2:31 PM, Arne Vajhøj wrote:
> On 7/22/2024 1:39 PM, Dave Froble wrote:
>> I would not consider SSL, TLS, MD5, Sha-1, and such applications.  They are
>> more environment protection, the way I see it.  And you are correct, some no
>> longer protect the environment for the real apps.
>>
>> Please explain to me how an application, for example an inventory application
>> that tracks on hand product, would ever be involved in security?  It is the
>> environment that must provide the security, and the apps the actual work.
>> Things get a bit grey when an application communicates outside the
>> environment, but even then, it is the available security that is used, not the
>> apps.
>>
>> So, your comments are not relevant to whether or not the apps written in say
>> VB6 need support, at least from a security perspective.
>
> I don't think it is good description of such stuff to call it
> environment that are independent of applications.
>
> Sometimes application code directly specify algorithms.
>
> This one line of VB.NET code:

So now the discussion ignores the previous discussion, in this case VB6?  As far 
as I know VB6 does not have what you mention below?

> Test("SHA-2 256 bit (managed)", New SHA256Managed())
>
> use SHA-256. An no environment change will make it use a different
> algorithm (unless one did some really dirty hacking of the
> .NET libraries).
>
> Sometimes newer libraries are not available.

In my limited experience, encryption and such are separate code/libraries.  So 
linking them into an existing app would still provide protection.

But we all know Dave doesn't get out much, so perhaps not.

> Let us say that one has some code that use HTTPS. And
> that programming language has a library that supports
> TLS 1.3. Then in 5 years a vulnerability in TLS 1.3 is
> found and TLS 1.4 is created. If a new version of the library
> supporting TLS 1.4 becomes available then all fine - update the
> library and the application is fine. But if not then the
> application has a problem, because the available library is
> not getting updated.

How does that differ from some "supported" implementation languages?  Doesn't 
matter if TLS 1.4 doesn't exist now, does it?


-- 
David Froble                       Tel: 724-529-0450
Dave Froble Enterprises, Inc.      E-Mail: davef at tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA  15486

More information about the Info-vax mailing list