Re: openssl/libssl1 in Debian now blocks offlineimap?

To: debian-devel@lists.debian.org
Subject: Re: openssl/libssl1 in Debian now blocks offlineimap?
From: Tollef Fog Heen <tfheen@err.no>
Date: Sun, 20 Aug 2017 13:51:16 +0200
Message-id: <[🔎] 87fucmh2yz.fsf@err.no>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20170820092336.ebieeclimwqc2fbm@localhost> (Adrian Bunk's message of "Sun, 20 Aug 2017 12:23:36 +0300")
References: <20170814190938.td4vhyq5rqmmxlrw@shelf.conquest> <20170814200540.qunn4exfhwgnubio@roeckx.be> <20170815102826.GA2738@vidovic.ultras.lan> <[🔎] 20170815134905.uzhmjjsdifo6zky5@burischnitzel.preining.info> <[🔎] 20170815150449.tjfsf5g2pp4odv5q@roeckx.be> <[🔎] 20170815162616.xudlxhuihtmpe67w@localhost> <[🔎] 87d17siqqy.fsf@err.no> <[🔎] 20170820092336.ebieeclimwqc2fbm@localhost>

]] Adrian Bunk 

> On Fri, Aug 18, 2017 at 10:07:49PM +0200, Tollef Fog Heen wrote:
> > ]] Adrian Bunk 
> >... 
> > The PCI consortium extended the deadline until June
> > 2018.  Assuming that deadline holds, people with older machines will not
> > be able to access services such as online banking or pay online in
> > general.
> 
> That's wrong.

I'm not sure which bit of the quoted text you think is wrong.

> Think of the "TLS 1.2 not working with WPA" discussed earlier here that 
> might still affect half a billion active Android devices at the buster
> release date.[1]
> 
> The online banking app running on such a device will support TLS 1.2

Maybe, maybe not.  Depending on how it's implemented, it's non-trivial
to get TLS 1.2 support in there.  Just doing HTTP or TLS yourself is
easy enough, but if you want to use a webview, you're at the mercy of
the TLS libs of the OS.

> The PayPal app currently requires Android >= 4.0.3, released in 2011.

I'd not be surprised if that gets bumped, but that's just my guess, I
have no knowledge into what their actual plans are.

[...]

> >...
> > to make sure any users on platforms where support for that is
> > lacking get a proper notification and a chance to move to something
> > newer.
> >...
> 
> Imagine Debian running on the AP providing the WiFi for a Cafe.
> 
> What you are saying is that the staff working at the Cafe should explain 
> to their customers that they have to buy a new phone if they want to use 
> the WiFi.

Why would that be the case?  They're likely to just be using WPA2 or
have an open network, neither of which require TLS.

Arguing for keeping TLS 1.0 support means you're arguing for providing
users with a default-insecure setup.  In today's world, I think that's a
pretty poor choice.  Providing people with the possibility to fall back
to less secure solutions sounds like a much better choice, just like
it's possible to install an telnetd providing unencrypted logins, but it
requires you to actively go out and install it.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to:

Follow-Ups:
- Re: openssl/libssl1 in Debian now blocks offlineimap?
  - From: Adrian Bunk <bunk@debian.org>
- Re: openssl/libssl1 in Debian now blocks offlineimap?
  - From: Wouter Verhelst <wouter@debian.org>
- Re: openssl/libssl1 in Debian now blocks offlineimap?
  - From: Michael Meskes <meskes@debian.org>

References:
- Re: openssl/libssl1 in Debian now blocks offlineimap?
  - From: Norbert Preining <norbert@preining.info>
- Re: openssl/libssl1 in Debian now blocks offlineimap?
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: openssl/libssl1 in Debian now blocks offlineimap?
  - From: Adrian Bunk <bunk@debian.org>
- Re: openssl/libssl1 in Debian now blocks offlineimap?
  - From: Tollef Fog Heen <tfheen@err.no>
- Re: openssl/libssl1 in Debian now blocks offlineimap?
  - From: Adrian Bunk <bunk@debian.org>

Prev by Date: Re: openssl/libssl1 in Debian now blocks offlineimap?
Next by Date: Re: Call for volunteers: FTP Team
Previous by thread: Re: openssl/libssl1 in Debian now blocks offlineimap?
Next by thread: Re: openssl/libssl1 in Debian now blocks offlineimap?
Index(es):
- Date
- Thread