

RFC 7568: SSL 3.0 Is Now Officially Deprecated - Mojah
https://ma.ttias.be/rfc-7568-ssl-3-0-is-now-officially-deprecated/?hn

======
mc_hammer
Why?

Theres a open bug in the TLS issues for the last 1 year.

It contains a buffer exploit in the SupplementalData function.

\---------------------

Supple Mental Data...

The literal definition of this phrase is: Enough mental data

and thats where the exploit hides. Coincidence?

No... theres so many distractions [data] out there that this exploit can just
sit there in the open.

And thats the literal instance of the phrase, "supple mental data to hide an
exploit"

Another good example is when you have 100 commits per day, from 50 developers
in 25 countries, like on the OpenSSL project. Who can security-check all those
commits? It's also logistically impossible to verify all of them are not NSA.

An even better one is a SSH client supporting 100 protocols, everything from
ancient VTxx to un-tested 2016 tls heartbeat code, I wonder which line in the
32,000 contains the exploit or crypto flaw?

And another example is how many downvotes my posts on TLS bugs have gotten :D

\----------------------

TLS has already had 2 show stopping bugs, they were beginner crypto mistakes
like reusing nonce (or null nonce)

or were they?

also Heartbleed and LogJam

its also being purposely mislabeled (?) as https

theres no reason to run all of the worlds https and ssh traffic on this.

\----------------------

moar? Global r00t continues:
[http://8ch.net/g/res/2200.html](http://8ch.net/g/res/2200.html)

~~~
mattkrea
I guess I'm confused about your stance. What is your suggestion? Stay on SSL 3
because TLS 1.0 and TLS 1.1 have issues?

Are there any known issues with TLS 1.2? I'm not aware of any.

~~~
mc_hammer
What i feel is:

\- dont mislabel it as https

\- every dev who is gonna use tls should try to verify the security of their
languages tls implementation

\- they should do a feature freeze for at least 1 year or something and let us
verify our implementations, theres no need for a new tls every 3 months or
they are doing it wrong

\- dont run all the worlds https and ssh over tls, at least give everyone two
options

\- before we let them global root everything, know how ____hard it is going to
be to setup a meshnet

~~~
mattkrea
How is it mislabeling https? HTTP over TLS is still HTTP over a secure tunnel.

~~~
mc_hammer
I was basing off the w3 directors article [1]

1: [http://www.w3.org/DesignIssues/Security-
NotTheS.html](http://www.w3.org/DesignIssues/Security-NotTheS.html)

