[Info-vax] BridgeWorks

Arne Vajhøj arne at vajhoej.dk
Wed Jul 24 23:11:41 EDT 2024 

On 7/24/2024 10:50 PM, Dave Froble wrote:
> On 7/23/2024 8:16 PM, Arne Vajhøj wrote:
>> On 7/23/2024 3:16 PM, Dave Froble wrote:
>>> On 7/22/2024 2:31 PM, Arne Vajhøj wrote:
>>>> Let us say that one has some code that use HTTPS. And
>>>> that programming language has a library that supports
>>>> TLS 1.3. Then in 5 years a vulnerability in TLS 1.3 is
>>>> found and TLS 1.4 is created. If a new version of the library
>>>> supporting TLS 1.4 becomes available then all fine - update the
>>>> library and the application is fine. But if not then the
>>>> application has a problem, because the available library is
>>>> not getting updated.
>>>
>>> How does that differ from some "supported" implementation languages?  
>>> Doesn't
>>> matter if TLS 1.4 doesn't exist now, does it?
>>
>> It is not like:
>>
>> supported language => guarantee for updated library
>> not supported language => guarantee for no updated library
>>
>> But the likelihood for an updated library is much higher
>> if the language is actively maintained, supported and
>> developed by the vendor, because there is an expectation that
>> there is a long term market for the library.
>>
>> If the language has been EOL, not supported and superseded
>> by another product from the vendor, then the market has shrunk
>> and are expected to continue to shrink. That is a situation that
>> make many libraries drop support as well.
>>
>> This is not just a theoretical thing.
>>
>> If you look at third party COM components used by VB6 and VBS back
>> in the late 90's and early 00's, then most of it are gone. The move
>> may be pretty slow, but after 22 years then the market is heavily
>> reduced.
> 
> You assume that such libraries are for specific environments, and some 
> may be. But isn't OpenSSL sort of generic, usable by just about 
> anything?  Should not most such things be that way.  If not, then why not?

OpenSSL is widely used for a certain type of languages in modern time.
If you have an application written in a native language within
the last two decades, then there is a pretty good chance that it uses
OpenSSL. JVM languages, CLR languages, script languages - no (at least
not directly). Something written 30 years ago - no (it would use
Bsafe or something else that had the proper RSA license).

VB6 is a bit in the middle. VB6 can call functions in regular
Win32 DLL's, but often a COM component will be preferred - OO API,
the choice between static and dynamic (dynamic only if a scriptable
COM component), usually nicer API with less hacking with data types.

Arne

More information about the Info-vax mailing list