Hacker News new | ask | show | jobs
by kazinator 922 days ago
If that were the actual principle being accurately followed, the first feature to have been removed from browsers would have been plain HTTP before any version of SSL.

Plain HTTP is what people resort to when their browser refuses to connect to an old device or server using HTTPS, which is worse than old SSL.
1 comments
Avamander 922 days ago
No, because clear lack of security is better than faux security. With older SSL versions, it's security that even creates extra risk for all clients (by leaking server secrets and allowing ciphersuites that don't have PFS).
link
b112 922 days ago
What hogwash. You alert the user, problem solved.

The absurd idea that a user will have a 20 year old encrypted mail, because software still supports it, is ridiculous. What really happens is someone has a 20 year old mail no matter what, itcwill always exist, and the choice is, support it or not. Support it to be read, support it to be converted, warn the user, suggest fixes.

And your SSL example is senseless! In what world do you envision super secure stuff alongside weaker legacy, on the same damned server. You literally are not thinking sensibility about any of this, you examples are paper tigers.

This stance is absurb.

link
Avamander 922 days ago
> You alert the user, problem solved.

How do you alert the users that are running the problematic software and haven't yet updated it? The very premise is ridiculous.

> What really happens is someone has a 20 year old mail no matter what, itcwill always exist, and the choice is, support it or not. Support it to be read, support it to be converted, warn the user, suggest fixes.

Well yeah and the choice should be to not support it. If the user needs those letters they can either decrypt or just re-encrypt them. It's silly to claim that a message can somehow be both so vital to be protected by encryption, but not upgraded to something more modern.

> And your SSL example is senseless! In what world do you envision super secure stuff alongside weaker legacy, on the same damned server.

I'm not envisioning it. Nobody should be running such old useless garbage. What was suggested earlier in this thread does not work and must not happen in practice.

link
b112 922 days ago
How do you alert the users that are running the problematic software and haven't yet updated it? The very premise is ridiculous.

Where did you get the weird idea the software isn't updated? This entire discussion is about deprecation of older encryption methods in new versions of software.

You're not giving this thought. Good day.

link
kazinator 922 days ago
Yes, but that is only needed to connect with old software that has not updated. Two pieces of new software will not negotiate on using old crypto even if they both support it.

In the trouble situations, one of the two pieces of software being upgraded is thrust upon the user.

link
kazinator 922 days ago
> lack of security is better than faux security

Only when we are doing theatre. In the actual facts, lack of security is worse than inferior security.

link