General cipher security level
|Reported by:||ronald-scheckelhoff-trac||Owned by:||nobody|
|Has a Patch:||no||Platform:||All|
This "bug" report is in a gray area between bug report and suggestion. The latest nightly I've tested (hrev 48882) allows the use of 40 bit ciphers. These are generally considered very bad to use, and easily broken. Many out-of-the-box distros disallow them completely (Linux, etc). However; it's a sticky issue because some sites that require these antiquated cipher suites may break if the browser/ssllib/network substrate doesn't allow them.
This "bug/not-bug" is therefore something that requires a judgement to be made, rather than just pointing to a particular coding problem. I'm not the expert here, but I can look at other distros that have tackled it differently. For instance, GNUtls on FreeBSD, by default, doesn't allow anything less than 128 bits. Whether this is a problem to be handled at a low level (libs) or a high level (apps) is also a matter of judgement.
IMO this should be looked at prior to R1, maybe beta, and should include scores of other security related issues, including protocol, cert, security vulnerability, and cipher issues. Maybe this is solved (or not) by a simple upgrade of the affected library versions, but I'm sure my opinion of this is not as good as the official Haiku security-dev gurus. :-)
To see the ciphersuite list currently provided by the Haiku software stack, use Webpositive and go to https://www.ssllabs.com/ssltest/viewMyClient.html
Change History (8)
follow-up: 3 comment:2 by , 5 years ago
|Component:||Network & Internet → Kits/Network Kit|
|Milestone:||R1/beta1 → Unscheduled|
|Priority:||normal → low|