[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Feds put heat on Web firms for master encryption keys



> inconsistent (client and server) software support

This is taken care of by preferences. Set the highest you
are able to support and keep pushing it higher. Clients do
the same. It's negotiable preferences, no flag days, everyone
wins.

> At a guess, I'd say a mix of laziness,
> and worries about additional CPU overhead.

These are more common.

> I had to pull Apache 2.4 out of Sid

Unfortunately port/package repos can be a bit behind
state of the art. Locally... untar ; ./configure ; make
is not that hard to learn.

> corporate policy

If only as to doing mandated things like TLS termination and DPI.

> Turning off non-FS algos breaks SSL for a *lot* of people.

Set preferences, not hard cutoffs.

> So the many servers where OpenSSL isn't getting upgraded any
> time soon can't do it either.

I've only found compiling new software on old systems to be
a problem like this. ie: 1.0.1 won't compile on them. I grant that
it can be hard to migrate off old platforms.

> submit bugs against the web server packages from the usual
> suspects (debian et al) asking them to turn on forward secrecy
> by default?

Legitimately squeaky wheels get greased first.