[tialaramex]

Again I'm not here to praise SRP, though I will mention that when I think of you and and dumb crypto for a full bypass I always think of your surprise that Microsoft shipped a broken ECC implementation in Windows some years back. It's hard to dig a pit of success deep enough that everybody falls in, and that's why I like systems where we don't tell people things they don't need in the first place.

We didn't end up path dependant on RC4 for example, even though it's in SSLv2. RC4 is similar to SRP in some ways because nobody was ever comfortable with it but people kept trying to patch the known issues until eventually we gave up on it entirely.

[tptacek]

Yes, we did! RC4 is a great example of what I'm talking about. It's a cipher nobody had any business ever using, and we were using it well into the 2010s, despite the fact that the (comically simple) underlying vulnerabilities in it were known in the 1990s.

[tialaramex]

How is RC4 a great example? Obviously with hindsight you'd choose something different, but in the mid-1990s there wasn't a lot of good options - in your alternate history do we just hope DES (which we know has a NOBUS for the US government) is OK forever? Do we go without SSL altogether ? What's the plan ?

[tptacek]

I don't understand. Why did we need RC4 for SSL? Most SSL and TLS connections just used CBC-mode.

[tialaramex]

CBC mode of what ? IDEA maybe ? Are you here to go to bat for IDEA because it's in better shape than RC4 (likely because nobody cares) ?

[tptacek]

Even DES-EDE is better than RC4.

[tialaramex]

3DES? I guess. People banged on it a lot more than IDEA, which is good, even on your worst days banging on things has potential to shake loose anything poorly put together. But as a "path dependency" I think it might teach an even worse lesson than RC4 did.

Edited: Sorry the last sentence was garbled nonsense originally, maybe it's the heat here. Or my brain is gradually deteriorating :/