[Info-vax] BridgeWorks

[Arne Vajhøj]

On 7/23/2024 3:16 PM, Dave Froble wrote:
> On 7/22/2024 2:31 PM, Arne Vajhøj wrote:
>> On 7/22/2024 1:39 PM, Dave Froble wrote:
>>> I would not consider SSL, TLS, MD5, Sha-1, and such applications.  
>>> They are
>>> more environment protection, the way I see it.  And you are correct, 
>>> some no
>>> longer protect the environment for the real apps.
>>>
>>> Please explain to me how an application, for example an inventory 
>>> application
>>> that tracks on hand product, would ever be involved in security?  It 
>>> is the
>>> environment that must provide the security, and the apps the actual 
>>> work.
>>> Things get a bit grey when an application communicates outside the
>>> environment, but even then, it is the available security that is 
>>> used, not the
>>> apps.
>>>
>>> So, your comments are not relevant to whether or not the apps written 
>>> in say
>>> VB6 need support, at least from a security perspective.
>>
>> I don't think it is good description of such stuff to call it
>> environment that are independent of applications.
>>
>> Sometimes application code directly specify algorithms.
>>
>> This one line of VB.NET code:
 >>
>> Test("SHA-2 256 bit (managed)", New SHA256Managed())
> 
> So now the discussion ignores the previous discussion, in this case 
> VB6?  As far as I know VB6 does not have what you mention below?

True.

But the concept of program code directly specifying algorithms
is generic.

That can also happen in VB6.

I just happened to have some VB.NET code but not any VB6 code.

>> use SHA-256. An no environment change will make it use a different
>> algorithm (unless one did some really dirty hacking of the
>> .NET libraries).
>>
>> Sometimes newer libraries are not available.
> 
> In my limited experience, encryption and such are separate 
> code/libraries.  So linking them into an existing app would still 
> provide protection.

Usually an external library.

But no guarantee that new versions will show up for a
library.

If the technology is generally considered obsolete then the
likelihood of new version may even be small.

>> Let us say that one has some code that use HTTPS. And
>> that programming language has a library that supports
>> TLS 1.3. Then in 5 years a vulnerability in TLS 1.3 is
>> found and TLS 1.4 is created. If a new version of the library
>> supporting TLS 1.4 becomes available then all fine - update the
>> library and the application is fine. But if not then the
>> application has a problem, because the available library is
>> not getting updated.
> 
> How does that differ from some "supported" implementation languages?  
> Doesn't matter if TLS 1.4 doesn't exist now, does it?

It is not like:

supported language => guarantee for updated library
not supported language => guarantee for no updated library

But the likelihood for an updated library is much higher
if the language is actively maintained, supported and
developed by the vendor, because there is an expectation that
there is a long term market for the library.

If the language has been EOL, not supported and superseded
by another product from the vendor, then the market has shrunk
and are expected to continue to shrink. That is a situation that
make many libraries drop support as well.

This is not just a theoretical thing.

If you look at third party COM components used by VB6 and VBS back
in the late 90's and early 00's, then most of it are gone. The move
may be pretty slow, but after 22 years then the market is heavily
reduced.

Arne