Hacker News new | past | comments | ask | show | jobs | submit login

CertSimple (specifically me) patched node (specifically, io.js, which will become node again) as part of writing the article, so after the next release you won't need to do anything.

Other platforms should also keep up to date with browser changes. Cipher suites are a balancing act between compatibility and security, that's why Mozilla's Server Side SSL let's you pick the compatibility you wan. But that doesn't mean eg, Apache or nginx couldn't provide better defaults in newer releases (they may be planning to do so already).

Reply to realusername's comment below (rate limit):

Not offended at all! I think concentrating the discussion amongst people who have the time to look into this, then having those decisions flow down to projects as defaults makes the web more secure. Mozilla's https://wiki.mozilla.org/Security/Server_Side_TLS project informed the node changes: hopefully it will also inform the defaults for eg the next nginx.

Reply to derefr's comment (rate limit):

Mozilla Server Side TLS is that set of agreed upon conventions. The Moz logic is great, since the conventions produce 3 sets of cipher suites with different compatibility / security tradeoffs.

We made https://www.npmjs.com/package/ssl-rsa-strength as a library implementing Mozilla's logic a little while ago.




Sorry if if was offensive, it was not directed to your work, you are really making the web more secure with these patches so I'm really grateful ! It's just that sometimes, the current usability state of crypto just make me a bit sad.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: